[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Multiple Search Paths

To: openldap-software@OpenLDAP.org
Subject: Re: Multiple Search Paths
From: "Tibbetts, Ric" <ric.tibbetts@ngc.com>
Date: Thu, 02 Oct 2003 12:47:21 -0400
In-reply-to: <20031002163216.GA25817@petersen-arne.com>
References: <3F7C2203.8030506@ngc.com> <20031002163216.GA25817@petersen-arne.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20030225

Cory Petkovsek wrote:

On Thu, Oct 02, 2003 at 09:02:59AM -0400, Tibbetts, Ric wrote:
All; This is probably a quick & simple one. I need to set up multiple search paths for user accounts. I have several departments in my DIT that could contain department only accounts, as well as a general user base. So for any given user (within a domain), I need to do two searches (for login authentication).
My main user base is in (for example):
	ou=People,dc=ldap-test,dc=com
With department specific accounts in:
ou=People,dc=eng,dc=mlb,dc=ldap-test,dc=com
I did something like:
ou=people,dc=petersen-arne,dc=com
ou=reps,ou=people,dc=petersen-arne,dc=com
ou=misc,ou=people,dc=petersen-arne,dc=com
Then in my libnss-ldap.conf I have:
base ou=People,dc=petersen-arne,dc=com
nss_base_passwd         ou=People,dc=petersen-arne,dc=com?sub
nss_base_shadow         ou=People,dc=petersen-arne,dc=com?sub
nss_base_group          ou=Group,dc=petersen-arne,dc=com?one
?sub being the operative key word.  I can authenticate against ou=people
and ou=*,ou=people.
Cory

I looked at using "sub" for the search scope, and it does work. But it opens a door I don't want. My tree looks like:

                       dc=ldap-test,dc=com
                                   |
                               dc=mlb
                                   |
           -----------------------------------------
          |                        |                            |
       dc=eng            dc=dev            dc=test

I keep the base users in ou=People,dc=ldap-test,dc=com And then project specific accounts in (for example) ou=People,dc=eng,dc=mlb,dc=ldap-test,dc=com

But I don't want "everyone" to have access to them. So if a box is in the dev area, they would not see the users for the eng area. This is trivial on Solaris. In the profile, just do something like:

SolarisDataSearchDN "passwd:(ou=People,dc=ldap-test,dc=com),(ou=People,dc=eng,dc=mlb,dc=ldap-test,dc=com)"

I thought Linux would have an equivelant to that. It's exactly what I need, but I can't find an equiv.

Anyone?

Thanks!

-Ric

References:
- Multiple Search Paths
  - From: "Tibbetts, Ric" <ric.tibbetts@ngc.com>
- Re: Multiple Search Paths
  - From: Cory Petkovsek <cory@adaptableit.com>

Prev by Date: openldap + corporate time
Next by Date: RE: Multiple Search Paths
Index(es):
- Chronological
- Thread