3:04 a.m.
Hello.
We are using OpenLDAP for user authentication. Now we want to reuse the
data for internal address books. My problem is that not all records should
be shown in the address books.
Just as an example, I might want to hide all records that have
(active=FALSE).
Adding the search constraint to every e-mail client is not suitable, as
the constraints will probably change over time.
I imagine having a virtual DN for address books, containing dynamic data
filtered according to my configuration. From reading the documentation, it
seems that an overlay would be the thing to use for this, but I have been
unable to find a suitable overlay. Does one exist? Or should I approach
this differently?
Thanks,
Anders.
2:18 a.m.
Anders wrote:
We are using OpenLDAP for user authentication. Now we want to reuse the
data for internal address books. My problem is that not all records should
be shown in the address books.
Just as an example, I might want to hide all records that have
(active=FALSE).
First I'd try to consider using ACLs for this.
=> your user authentication applications should have somewhat "higher"
rights than your e-mail clients.
Ciao, Michael.
2:31 a.m.
Anders wrote:
We are using OpenLDAP for user authentication. Now we want to reuse
the data for internal address books. My problem is that not all
records should be shown in the address books.
Just as an example, I might want to hide all records that have
(active=FALSE). Adding the search constraint to every e-mail client
is not suitable, as the constraints will probably change over time.
I imagine having a virtual DN for address books, containing dynamic
data filtered according to my configuration. From reading the
documentation, it seems that an overlay would be the thing to use for
this, but I have been unable to find a suitable overlay. Does one
exist? Or should I approach this differently?
An interesting approach would be to
allow filters on proxy backends. I
recall proposing something like that in the past, without a serious need
pushing me to implement it. You could look at allowing a filter for
back-ldap, and AND it to all search requests.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Email: pierangelo.masarati(a)sys-net.it
---------------------------------------
2:42 a.m.
Michael Ströder wrote:
Anders wrote:
> We are using OpenLDAP for user authentication. Now we want to reuse the
> data for internal address books. My problem is that not all records should
> be shown in the address books.
>
> Just as an example, I might want to hide all records that have
> (active=FALSE).
First I'd try to consider using ACLs for this.
=> your user authentication applications should have somewhat "higher"
rights than your e-mail clients.
Using back-relay should work; the relay backend can use a different set of
ACLs from the main backend.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
5104
days inactive
5105
days old
openldap-software@openldap.org
3 comments
4 participants
participants (4)
-
Anders -
Howard Chu -
Michael Ströder -
Pierangelo Masarati