Hi,
I'm not sure if this is exactly the right list, but I'm stuck trying to implement something at work and I'm hoping someone can help me.
Background:
We have an existing openldap setup that uses roles rather than groups to determine who gets what. We have people under ou=People, and roles under ou=Roles.
Here's parts of my person object:
dn: uid=apenney,ou=People,dc=law,dc=harvard,dc=edu objectClass: hostObject objectClass: inetOrgPerson objectClass: lawHarvardEduPerson objectClass: organizationalPerson objectClass: person objectClass: posixAccount objectClass: qmailUser objectClass: shadowAccount objectClass: top cn: Ashley Penney isMemberOf: cn=SFTP User:member,ou=Roles,dc=law,dc=harvard,dc=edu isMemberOf: cn=SFTPUser,ou=Roles,dc=law,dc=harvard,dc=edu
Here's cn=SFTPUser,ou=Roles
dn: cn=SFTPUser,ou=Roles,dc=law,dc=harvard,dc=edu objectClass: lawHarvardEduRole objectClass: organizationalUnit objectClass: posixGroup objectClass: top cn: SFTPUser gidNumber: 24 ou: Roles ou: Xythos description: Indicates that a user has SFTP access. displayName: SFTP User (SFTP User)
What I want to be able to do, via nss_ldap, is to interate over the isMemberOf entries, and check the cn=x,ou=roles for a posixGroup. I've managed to get it building a search of the form:
SRCHbase="ou=Roles,dc=law,dc=harvard,dc=edu" scope=2deref=3filter="(|distinguishedName=cn=sftpuser:member,ou=roles,dc=law,dc=harvard,dc=edu)(distinguishedName=cn=sftpuser,ou=roles,dc=law,dc=harvard,dc=edu))"
It then does a SRCHattr=objectClass lookup, but this fails. My understanding is this requires some support in openldap itself, and I can't figure out if this is provided or not.
So, my alternative method is to build a dynamic list up, from my understanding, and have it build me a dynamic sftp-users group. I cannot figure out what values I would map however, and I'd appreciate any assistance anyone can offer.