Hi,
I'm not sure if this is exactly the right list, but I'm stuck trying to implement something at work and I'm hoping someone can help me.
Background:
We have an existing openldap setup that uses roles rather than groups to determine who gets what. We have people under ou=People, and roles under ou=Roles.
Here's parts of my person object:
dn: uid=apenney,ou=People,dc=law,dc=harvard,dc=edu
objectClass: hostObject
objectClass: inetOrgPerson
objectClass: lawHarvardEduPerson
objectClass: organizationalPerson
objectClass: person
objectClass: posixAccount
objectClass: qmailUser
objectClass: shadowAccount
objectClass: top
cn: Ashley Penney
isMemberOf: cn=SFTP User:member,ou=Roles,dc=law,dc=harvard,dc=edu
isMemberOf: cn=SFTPUser,ou=Roles,dc=law,dc=harvard,dc=edu
Here's cn=SFTPUser,ou=Roles
dn: cn=SFTPUser,ou=Roles,dc=law,dc=harvard,dc=edu
objectClass: lawHarvardEduRole
objectClass: organizationalUnit
objectClass: posixGroup
objectClass: top
cn: SFTPUser
gidNumber: 24
ou: Roles
ou: Xythos
description: Indicates that a user has SFTP access.
displayName: SFTP User (SFTP User)
What I want to be able to do, via nss_ldap, is to interate over the isMemberOf entries, and check the cn=x,ou=roles for a posixGroup. I've managed to get it building a search of the form:
SRCHbase="ou=Roles,dc=law,dc=harvard,dc=edu" scope=2deref=3filter="(|distinguishedName=cn=sftpuser:member,ou=roles,dc=law,dc=harvard,dc=edu)(distinguishedName=cn=sftpuser,ou=roles,dc=law,dc=harvard,dc=edu))"
It then does a SRCHattr=objectClass lookup, but this fails. My understanding is this requires some support in openldap itself, and I can't figure out if this is provided or not.
So, my alternative method is to build a dynamic list up, from my understanding, and have it build me a dynamic sftp-users group. I cannot figure out what values I would map however, and I'd appreciate any assistance anyone can offer.