[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Translucent Proxy to filter users



On Fri, 27 Jul 2012, Joel Eidsath wrote:

Hello, I'm trying to use our corporate openldap server for authentication to an application server (Github Enterprise) that does not support any "memberof" filters for allowed users.

As a workaround, I am looking into a translucent proxy server that would only return a subset of users. Github Enterprise would only "see" a few hundred users instead of thousands. Is this doable? Is there a better solution?

You could certainly work on an appropriate back-{ldap,relay,etc} configuration, but it's probably needless weight. Assuming the client supports a bindDN, I'd consider creating an ACL that only allows access to "a subset of users" that's desired and disallows !subset users. Oversimplified:

access to * group.expand="cn=githubgroup" by "cn=githubbinddn" read
access to * by "cn=githubbinddn" none