[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
How to config LDAP client to get data from multiple sub domains in LDAP server?
- To: openldap-technical@openldap.org
- Subject: How to config LDAP client to get data from multiple sub domains in LDAP server?
- From: Qian Zhang <zhq527725@gmail.com>
- Date: Thu, 30 Aug 2012 12:04:20 +0800
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=YZtzyBxUtDMNBPAlo2/YUjGFUsR5+5BZHdw6HMI7e10=; b=AXe6EbkkQU1cZ9vDWQDrw9H4fJjrbrVvyMhDnWAzZXDn9TVFBptp4iJjIjsgFpCfPk OR8YK82Dcv1CZ98dWRgmZ0g3iTHW2+Wcf6p+nR44RM/bJSOqmebuAszWuzZMFeTiE3Gm ZkhqaWe+aUw1jCDVlnuXc4nA8TG/33RQxQo7uFTw3Wvxvn1yhhdeyDY09Q8XYOiWdrXx fbcHotFw0CeaumMRGkgoboBYXq1IP7IO+CNlUZs8lALKjeGHDbyRoFgqQ4MPMT9ORE+u fTENgo2VJDrd+kHznvj9Qdgm/kgPgjy1Y+CkoGFNqtfN4MQXXBwbcbJNl6J4z7y8XiX7 Qktg==
Hi All,
I encountered one issue when configuring the LDAP client. My question
is how to configure the LDAP client to make it get the users and
groups information from two sub domains. The base domain of the LDAP
server is "dc=main,dc=com", and under the base domain, there are more
than one sub domains. Such as, sub domain 1
("dc=sub1,dc=main,dc=com"), sub domain 2 ("dc=sub2,dc=main,dc=com"),
sub domain 3 ("dc=sub3,dc=main,dc=com"), ....
Now I just wanna list the users and groups information from sub domain
sub1 and sub domain sub2 (by command "getent passwd"). The information
from sub domain sub3 must be excluded.
My test env is : Rehl6.2_x86_64, openldap-2.4.23
I have tried the following way:
Step1, configure the LDAP server. I used the access control item
"olcAccess" in file
/etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif
olcAccess: to dn.subtree="dc=sub1,dc=main,dc=com" by
dn="uid=user1,dc=sub1,dc=main,dc=com" read
olcAccess: to dn.subtree="dc=sub2,dc=main,dc=com" by
dn="uid=user1,dc=sub1,dc=main,dc=com" read
See above, I added the access controls, they mean that only the user
"uid=user1,dc=sub1,dc=main,dc=com" can access the information of the
two sub domains (sub1 and sub2). After added the configurations, I
restarted slapd service in server side.
Step2, configure the LDAP client, in /etc/nslcd and
/etc/pam_ldap.conf, I modified the items blow:
base dc=main,dc=com
binddn uid=user1,dc=sub1,dc=main,dc=com
bindpw ***
Then restart the service nslcd, but I can't get any users information
by command "getent passwd" in LDAP client side. ( I confirmed my
others configuration are correct, if I change the base to "base
dc=sub1,dc=main,dc=com", I can get all the information from sub1). I
think the problem is from LDAP server side, the user
"uid=user1,dc=sub1,dc=main,dc=com" in sub domain "sub1" is only
allowed to access the sub doamins (sub1 and sub2) by access control.
But I can't change the "base" from "dc=main,dc=com" to
"dc=sub1,dc=main,dc=com" or "dc=sub2,dc=main,dc=com". That's because
only one sub domain can be the "base", so I only can get the
information from one of the sub domains, but this is not my purpose.
Then I try to set the search scope to "scope sub", but still can't
work.
Any comments? I will be really appreciated for your feedback.