Hello.
We are using OpenLDAP for user authentication. Now we want to reuse the data for internal address books. My problem is that not all records should be shown in the address books.
Just as an example, I might want to hide all records that have (active=FALSE). Adding the search constraint to every e-mail client is not suitable, as the constraints will probably change over time.
I imagine having a virtual DN for address books, containing dynamic data filtered according to my configuration. From reading the documentation, it seems that an overlay would be the thing to use for this, but I have been unable to find a suitable overlay. Does one exist? Or should I approach this differently?
Thanks, Anders.
Anders wrote:
We are using OpenLDAP for user authentication. Now we want to reuse the data for internal address books. My problem is that not all records should be shown in the address books.
Just as an example, I might want to hide all records that have (active=FALSE).
First I'd try to consider using ACLs for this. => your user authentication applications should have somewhat "higher" rights than your e-mail clients.
Ciao, Michael.
Anders wrote:
We are using OpenLDAP for user authentication. Now we want to reuse the data for internal address books. My problem is that not all records should be shown in the address books.
Just as an example, I might want to hide all records that have (active=FALSE). Adding the search constraint to every e-mail client is not suitable, as the constraints will probably change over time.
I imagine having a virtual DN for address books, containing dynamic data filtered according to my configuration. From reading the documentation, it seems that an overlay would be the thing to use for this, but I have been unable to find a suitable overlay. Does one exist? Or should I approach this differently?
An interesting approach would be to allow filters on proxy backends. I recall proposing something like that in the past, without a serious need pushing me to implement it. You could look at allowing a filter for back-ldap, and AND it to all search requests.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
Michael Ströder wrote:
Anders wrote:
We are using OpenLDAP for user authentication. Now we want to reuse the data for internal address books. My problem is that not all records should be shown in the address books.
Just as an example, I might want to hide all records that have (active=FALSE).
First I'd try to consider using ACLs for this. => your user authentication applications should have somewhat "higher" rights than your e-mail clients.
Using back-relay should work; the relay backend can use a different set of ACLs from the main backend.
openldap-software@openldap.org
-
Anders -
Howard Chu -
Michael Ströder -
Pierangelo Masarati