On 02/09/11 12:38 -0700, Ski Kacoroski wrote:
I have an openldap server that several applications use for authenication. What we need to do is when a person is disabled, we need to disable access for that user for all applications but one (employeeonline). My first thought was simply to move the disabled person to a different OU (e.g. ou=eoonly,dc=... instead of ou=people,dc=...). The problem I am running into is that employeeonline is windows/vbscript that uses SASL to bind which means that I cannot just move the user to a different OU as they are always coming in as sasl-realm OL.NSD.ORG. Does any one have a good trick for how to do this? So far all I have come up with is:
- Bind as a admin user and then check the user's password instead of
binding as the user.
- Figure out someway for vbscript to bind as a different SASL realms.
Use a search based mapping like:
authz-regexp "uid=([^,]+),cn=([^,]+),cn=auth" "ldap:///dc=example,dc=net??sub?(uid=$1)"
which should (sasl) authenticate the user regardless of which subtree they exist in, underneath dc=example,dc=net.