Hi,

I'm not sure if this is exactly the right list, but I'm stuck trying to implement something at work and I'm hoping someone can help me.

Background:

We have an existing openldap setup that uses roles rather than groups to determine who gets what.  We have people under ou=People, and roles under ou=Roles.

Here's parts of my  person object:

dn: uid=apenney,ou=People,dc=law,dc=harvard,dc=edu
objectClass: hostObject
objectClass: inetOrgPerson
objectClass: lawHarvardEduPerson
objectClass: organizationalPerson
objectClass: person
objectClass: posixAccount
objectClass: qmailUser
objectClass: shadowAccount
objectClass: top
cn: Ashley Penney
isMemberOf: cn=SFTP User:member,ou=Roles,dc=law,dc=harvard,dc=edu
isMemberOf: cn=SFTPUser,ou=Roles,dc=law,dc=harvard,dc=edu

Here's cn=SFTPUser,ou=Roles

dn: cn=SFTPUser,ou=Roles,dc=law,dc=harvard,dc=edu
objectClass: lawHarvardEduRole
objectClass: organizationalUnit
objectClass: posixGroup
objectClass: top
cn: SFTPUser
gidNumber: 24
ou: Roles
ou: Xythos
description: Indicates that a user has SFTP access.
displayName: SFTP User (SFTP User)

What I want to be able to do, via nss_ldap, is to interate over the isMemberOf entries, and check the cn=x,ou=roles for a posixGroup.  I've managed to get it building a search of the form:

SRCHbase="ou=Roles,dc=law,dc=harvard,dc=edu" scope=2deref=3filter="(|distinguishedName=cn=sftpuser:member,ou=roles,dc=law,dc=harvard,dc=edu)(distinguishedName=cn=sftpuser,ou=roles,dc=law,dc=harvard,dc=edu))"

It then does a SRCHattr=objectClass lookup, but this fails.   My understanding is this requires some support in openldap itself, and I can't figure out if this is provided or not.

So, my alternative method is to build a dynamic list up, from my understanding, and have it build me a dynamic sftp-users group.  I cannot figure out what values I would map however, and I'd appreciate any assistance anyone can offer.