[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
back-ldap ACL help needed!
I'm trying to configure an ldap proxy using back-ldap to allow access to a
subset of entries and attributes from our main ldap servers to serve as a
campus directory for email softwares.
For example, we want to allow only the entries that have the attribute value
employeeType=staff to be visible. I can do this by adding an ACL on the
proxy like this:
access to dn.subtree="ou=people,dc=example,dc=com"
filter=(!(employeeType=staff))
by * none
However, the ACL will only work if the value of the attribute employeeType
is received from the backend server.
For example, the following requests work OK:
ldapsearch "(|(mail=Joe*)(cn=Joe*))"
ldapsearch "(|(mail=Joe*)(cn=Joe*))" mail cn employeeType
but this request (which is what most clients will do) does not return any
results since the attribute employeeType is empty:
ldapsearch "(|(mail=Joe*)(cn=Joe*))" mail cn
Is there a way to force the proxy to request the list of attributes required
in the ACLs even if the client does not request them? Is that possible with
a rewriteRule?
Or is there a better way to do this?
Thanks for any help!
Luc.
--
Luc Germain, analyst
Service des technologies de l'information
Université de Sherbrooke, Sherbrooke (Québec) Canada
email: Luc.Germain@USherbrooke.ca