Thanks for the tip ! Yes that sounds like it would work, and I don't think I will suffer from issues of scale...
Sure would be nice to do this with an LDAP group though... Or an attribute... While I admire your creativity, I have to think there is a more ldap centric solution to this.. On Fri, 2006-10-06 at 17:44, Dseven wrote: > Michael Hassey wrote on 10/ 6/06 01:38 PM: > > Hello > > > > I have SGD running great, using ldap fine... > > > > What I am looking for is a way to allow access to SGD based on an LDAP > > group... or other way to mark a user as an SGD user for auth in LDAP. > > > > When I use;(under array manager > Secure Global Desktop Login > LDAP > > Server) > > ldap://jds.mydomain.com:389/ou=People,o=mydomain.com,dc=mydomain,dc=com > > Things work great.. > > > > When I try; > > ldap://jds.mydomain.com:389/cn=sgdusers,ou=groups,o=mydomain.com,dc=mydomain,dc=com > > > > I get no satisfaction... > > > > sgdusers is a static group with a couple of test users. > > > > > > Any ideas? > > > > How does the community restrict SGD access via LDAP? > > The way I currently do it is not ideal, but may work for you, depending > on scale... > > * Configure (in arraymanager) "Search LDAP and use the closest ENS > match" > > * Create ENS users that map to LDAP users, for example: > > .../_ens/dc=com/dc=mydomain/o=mydomain.com/ou=People/uid=mhassey > > * Create the special ENS user object: > > .../_ens/dc=com/dc=mydomain/o=mydomain.com/cn=LDAP Profile > > * Uncheck the box "May log in to Secure Global Desktop" for the "LDAP > Profile" user object (or if you're creating via the command line, > use "--enabled false") > > > So, people who have LDAP entries but not ENS entries will get mapped to > "cn=LDAP Profile", which isn't allowed to login. > > There's probably a "proper" way to do it in LDAP (DSI, maybe?), but I > haven't looked for it... > > ~D.. > > > > _______________________________________________ SGD-Users mailing list [email protected] http://www.filibeto.org/mailman/listinfo/sgd-users
