[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Question to meta-backend / ldap-backend
Wilhelm Meier <wilhelm.meier@fh-kl.de> writes:
> Am Samstag 25 Oktober 2008 schrieb Dieter Kluenter:
>> Wilhelm Meier <wilhelm.meier@fh-kl.de> writes:
>> > Hi,
>> >
>> > I think this is a relative simple question but I did not use the
>> > meta/ldap-backend before.
>> >
>> > We have an openldap-server for user authentification. The user
>> > bind as
>> >
>> > uid=<user>,ou=Benutzer,dc=kmux,dc=de
>> >
>> > where <user> is the actual username.
>> >
>> > We have a diffent application where only users of a special
>> > posixGroup "Archiv" should be valid. The application is not
>> > capable of doing some sort of filtering.
>> >
>> > So, I thought it must be passoble to do this filtering with the
>> > meta or ldap-backup using the original ldap-db:
>> >
>> > the filter should look like:
>> >
>> > (&(cn=Archiv)(memberUid=<user>)(objectClass=posixGroup))
>> >
>> > where <user> is the username as above.
>>
>> You don't provide an example of the applications searchstring, so
>> only as a general hint, the rewrite engine of back-ldap, back-meta
>> or back-relay might meet your requirements, man slapo-rwm(5), man
>> slapd-meta(5), slapd-relay(5) provide some information.
>
> The structure of the DIT is that we have the users below
> ou=Benutzer,dc=kmux,dc=de with dn as described above. They are of
> ObjectClass posixAccount, ...
>
> Then we have the PosixGroups below ou=Gruppen,dc=kmux,dc=de, e.g.
> cn=Archiv,ou=Gruppen,dc=kmux,dc=de. The posixGroup objectClass has
> the user-objects as the multi-value attribute memberUid. This is the
> normal case for pam-authentification.
>
> My simple thought was to transparently "filter out" the user-objects
> not belonging to the correct posixGroup: construct an DIT where all
> non-"Archiv" user are not visible, for the example above.
>
> The application users should then bind to the meta-ldap uri with a
> different base-dn, e.g. ou=Archiv,dc=kmux,dc=de.
>
> This leads to the generell problem to make all the users of posixGroup
> xyz visible under the ou=xyz,ou=Gruppen, ...
You may configure back-meta or back-relay, some rudimentary samples:
database meta
suffix cn=Archive,ou=Gruppen,dc=kmux,dc=de
uri ldap://<host>/cn=archive,ou=Gruppen,dc=kmux,dc=de
database relay
suffix cn=Archive
relay cn=archive,ou=Gruppen,dc=kmux,dc=de
overlay rwm
rwm-suffixmassage "cn=archive" "cn=archive,ou=Gruppen,dc=kmux,dc=de"
Depending on the authentication framework, you may have to define
rewrite rules for the authentication string.
-Dieter
--
Dieter KlÃnter | Systemberatung
http://www.dpunkt.de/buecher/2104.html
sip: +49.180.1555.7770535
GPG Key ID:8EF7B6C6
53Â08'09,95"N
10Â08'02,42"E