[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Translucent Proxy to filter users

To: Joel Eidsath <jeidsath@gmail.com>
Subject: Re: Translucent Proxy to filter users
From: Aaron Richton <richton@nbcs.rutgers.edu>
Date: Mon, 30 Jul 2012 10:45:23 -0400 (EDT)
Cc: openldap-technical@openldap.org
In-reply-to: <CAPQ+Hdxfk4LhZ5VMhrVt6LQPbY8=T_d-4GnDJ4RTNmxX3ppMSw@mail.gmail.com>
References: <CAPQ+Hdxfk4LhZ5VMhrVt6LQPbY8=T_d-4GnDJ4RTNmxX3ppMSw@mail.gmail.com>
User-agent: Alpine 2.02 (SOC 1266 2009-07-14)

On Fri, 27 Jul 2012, Joel Eidsath wrote:

Hello, I'm trying to use our corporate openldap server forauthentication to an application server (Github Enterprise) that doesnot support any "memberof" filters for allowed users.
As a workaround, I am looking into a translucent proxy server that wouldonly return a subset of users. Github Enterprise would only "see" a fewhundred users instead of thousands. Is this doable? Is there a bettersolution?

You could certainly work on an appropriate back-{ldap,relay,etc}configuration, but it's probably needless weight. Assuming the clientsupports a bindDN, I'd consider creating an ACL that only allows access to"a subset of users" that's desired and disallows !subset users.Oversimplified:


access to * group.expand="cn=githubgroup" by "cn=githubbinddn" read
access to * by "cn=githubbinddn" none

Follow-Ups:
- Re: Translucent Proxy to filter users
  - From: Guillaume Rousse <guillomovitch@gmail.com>

References:
- Translucent Proxy to filter users
  - From: Joel Eidsath <jeidsath@gmail.com>

Prev by Date: Re: What will happen if there are two user with same uid in OpenLDAP server
Next by Date: Re: What will happen if there are two user with same uid in OpenLDAP server
Index(es):
- Chronological
- Thread