I'm not sure if this is exactly the right list, but I'm stuck trying to implement something at work and I'm hoping someone can help me.


We have an existing openldap setup that uses roles rather than groups to determine who gets what.  We have people under ou=People, and roles under ou=Roles.

Here's parts of my  person object:

dn: uid=apenney,ou=People,dc=law,dc=harvard,dc=edu
objectClass: hostObject
objectClass: inetOrgPerson
objectClass: lawHarvardEduPerson
objectClass: organizationalPerson
objectClass: person
objectClass: posixAccount
objectClass: qmailUser
objectClass: shadowAccount
objectClass: top
cn: Ashley Penney
isMemberOf: cn=SFTP User:member,ou=Roles,dc=law,dc=harvard,dc=edu
isMemberOf: cn=SFTPUser,ou=Roles,dc=law,dc=harvard,dc=edu

Here's cn=SFTPUser,ou=Roles

dn: cn=SFTPUser,ou=Roles,dc=law,dc=harvard,dc=edu
objectClass: lawHarvardEduRole
objectClass: organizationalUnit
objectClass: posixGroup
objectClass: top
cn: SFTPUser
gidNumber: 24
ou: Roles
ou: Xythos
description: Indicates that a user has SFTP access.
displayName: SFTP User (SFTP User)

What I want to be able to do, via nss_ldap, is to interate over the isMemberOf entries, and check the cn=x,ou=roles for a posixGroup.  I've managed to get it building a search of the form:

SRCHbase="ou=Roles,dc=law,dc=harvard,dc=edu" scope=2deref=3filter="(|distinguishedName=cn=sftpuser:member,ou=roles,dc=law,dc=harvard,dc=edu)(distinguishedName=cn=sftpuser,ou=roles,dc=law,dc=harvard,dc=edu))"

It then does a SRCHattr=objectClass lookup, but this fails.   My understanding is this requires some support in openldap itself, and I can't figure out if this is provided or not.

So, my alternative method is to build a dynamic list up, from my understanding, and have it build me a dynamic sftp-users group.  I cannot figure out what values I would map however, and I'd appreciate any assistance anyone can offer.