On 29/09/11 09:46 -0400, criderkevin@aol.com wrote:
Having users duplicated is a problem for password reset, as someone has just pointed out to me...so then how do you setup your LDAP to allow access to one application and not others?
Say I want to allow a user access to Email but not Network...how is your LDAP setup to handle this? Maybe a bad example...I suppose you'd do this with the deliviered schemas...OK but what about access to Email ON and access to a homegrown app OFF? Perhaps using an attribute from a custom schema?
In my experience, authorization is not at all consistent across devices and applications. Those that are LDAP aware usually provide an LDAP filter as one component, in which case you can typically do:
(&(uid=$1)(someAccessAttr=email))
Some devices/applications provide for RADIUS authentication, which you can backend with LDAP to authenticate based on group membership, or the existence of a specific attribute.
Another approach is to configure your applications to use PAM authentication, and then make use of an ldap pam module.