[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: local/global userPassword



At 04:45 PM 9/1/00 +0200, Arvid Requate wrote:
>I have a few seamingly related questions:
>- how can I have identical userPasswords on different DN's

The simple answer is to add them separately.  Don't expect your
(off the shelf) LDAP server to do it for you.

>- how do I transparently realize a kind of subset structure for
>  userprofiles?

Sounds like relations


>Background Information:
>
>I'm deploying openLDAP in an environment where on user can have
>several homedirectories on different machines.
>
>We want do have a global user profile with a mailadress as DN:
>mail=<user@domain>,ou=people,o=<org>
>which stores inetOrgPerson information and holds a default userPassword.
>
>We also need local profiles for every account with the DN
>uid=<user>,ou=<domain>,o=<org>
>which stores uid etc.
>
>What we also want to do is:
>use pam_ldap which searches for uid=<user> under DN: ou=<domain>,o=<org>
>
>Now, pam will not find a userPassword there. Problem.

See below for solution...

>Is it possible to get the server to chase a kind of symbolic link to
>the userPassword attribute of the global profile here?

No.  That's basically an attribute-level relational database concept.
You won't likely find such in an LDAP server.

>(optimal would be if it does this only if there's no local userPassword)
>I can't figure out how to implement this using referrals or aliases
>(btw. are aliases automatically chased down by openLDAP?

Aliases and referrals are entry level mechanisms, not attribute level.

>what are they
> good for?), what I would like to have is a symbolic link which the
> server automatically replaces by the attribute/value pair pointed to.

They are good for making references at the entry level.

>Or a kind of subset mechanism, where the local entry inherits the attributes
>of another.

So LDAP servers, not OpenLDAP, support what are called 
collective attributes...  but I never heard of a server
using a collective attribute for authentication purposes.

>The only way I can imagine this would be to modify pam_ldap to chase
>down "seeAlso" attributes.

Now you're on the right track...