On Fri, 27 Jul 2012, Joel Eidsath wrote:
Hello, I'm trying to use our corporate openldap server for authentication to an application server (Github Enterprise) that does not support any "memberof" filters for allowed users.
As a workaround, I am looking into a translucent proxy server that would only return a subset of users. Github Enterprise would only "see" a few hundred users instead of thousands. Is this doable? Is there a better solution?
You could certainly work on an appropriate back-{ldap,relay,etc} configuration, but it's probably needless weight. Assuming the client supports a bindDN, I'd consider creating an ACL that only allows access to "a subset of users" that's desired and disallows !subset users. Oversimplified:
access to * group.expand="cn=githubgroup" by "cn=githubbinddn" read access to * by "cn=githubbinddn" none