[Date Prev][Date Next] [Chronological] [Thread] [Top]

How to config LDAP client to get data from multiple sub domains in LDAP server?



Hi All,

I encountered one issue when configuring the LDAP client. My question
is how to configure the LDAP client to make it get the users and
groups information from two sub domains.  The base domain of the LDAP
server is "dc=main,dc=com", and under the base domain, there are more
than one sub domains. Such as, sub domain 1
("dc=sub1,dc=main,dc=com"), sub domain 2 ("dc=sub2,dc=main,dc=com"),
sub domain 3 ("dc=sub3,dc=main,dc=com"), ....


Now I just wanna list the users and groups information from sub domain
sub1 and sub domain sub2 (by command "getent passwd"). The information
from sub domain sub3 must be excluded.


My test env is :  Rehl6.2_x86_64,   openldap-2.4.23


I have tried the following way:
Step1, configure the LDAP server.  I used the access control item
"olcAccess" in file
/etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif
 olcAccess: to dn.subtree="dc=sub1,dc=main,dc=com" by
dn="uid=user1,dc=sub1,dc=main,dc=com" read
 olcAccess: to dn.subtree="dc=sub2,dc=main,dc=com" by
dn="uid=user1,dc=sub1,dc=main,dc=com" read


See above, I added the access controls, they mean that only the user
"uid=user1,dc=sub1,dc=main,dc=com" can access the information of the
two sub domains (sub1 and sub2).  After added the configurations, I
restarted slapd service in server side.


Step2,  configure  the LDAP client, in /etc/nslcd and
/etc/pam_ldap.conf, I modified the items blow:


base dc=main,dc=com
binddn uid=user1,dc=sub1,dc=main,dc=com
bindpw ***


Then restart the service nslcd, but I can't get any users information
by command "getent passwd" in LDAP client side. ( I confirmed my
others configuration are correct, if I change the base to "base
dc=sub1,dc=main,dc=com", I can get all the information from sub1).  I
think the problem is from LDAP server side, the user
"uid=user1,dc=sub1,dc=main,dc=com" in sub domain "sub1" is only
allowed to access the sub doamins (sub1 and sub2) by access control.
But I can't change the "base" from "dc=main,dc=com" to
"dc=sub1,dc=main,dc=com" or "dc=sub2,dc=main,dc=com". That's because
only one sub domain can be the "base", so I only can get the
information from one of the sub domains, but this is not my purpose.
Then I try to set  the search scope to "scope sub", but still can't
work.


Any comments? I will be really appreciated for your feedback.