Am Samstag 25 Oktober 2008 schrieb Dieter Kluenter: > Wilhelm Meier <[EMAIL PROTECTED]> writes: > > Hi, > > > > I think this is a relative simple question but I did not use the > > meta/ldap-backend before. > > > > We have an openldap-server for user authentification. The user > > bind as > > > > uid=<user>,ou=Benutzer,dc=kmux,dc=de > > > > where <user> is the actual username. > > > > We have a diffent application where only users of a special > > posixGroup "Archiv" should be valid. The application is not > > capable of doing some sort of filtering. > > > > So, I thought it must be passoble to do this filtering with the > > meta or ldap-backup using the original ldap-db: > > > > the filter should look like: > > > > (&(cn=Archiv)(memberUid=<user>)(objectClass=posixGroup)) > > > > where <user> is the username as above. > > You don't provide an example of the applications searchstring, so > only as a general hint, the rewrite engine of back-ldap, back-meta > or back-relay might meet your requirements, man slapo-rwm(5), man > slapd-meta(5), slapd-relay(5) provide some information.
The structure of the DIT is that we have the users below ou=Benutzer,dc=kmux,dc=de with dn as described above. They are of ObjectClass posixAccount, ... Then we have the PosixGroups below ou=Gruppen,dc=kmux,dc=de, e.g. cn=Archiv,ou=Gruppen,dc=kmux,dc=de. The posixGroup objectClass has the user-objects as the multi-value attribute memberUid. This is the normal case for pam-authentification. My simple thought was to transparently "filter out" the user-objects not belonging to the correct posixGroup: construct an DIT where all non-"Archiv" user are not visible, for the example above. The application users should then bind to the meta-ldap uri with a different base-dn, e.g. ou=Archiv,dc=kmux,dc=de. This leads to the generell problem to make all the users of posixGroup xyz visible under the ou=xyz,ou=Gruppen, ... Thanks in advance for any hints! -- Wilhelm
