Thanks a lot, I'll check these ideas and try to test them in a lab environment.
Bye
On Thu, Jun 27, 2013 at 4:09 PM, Aaron Richton richton@nbcs.rutgers.eduwrote:
On Thu, 27 Jun 2013, Jason Voorhees wrote:
As you can see, all these have the prefix "pre" before it's real username
(jvoorhees, mjackson, sjobs, bgates, tcruis, etc...). I also have an OpenLDAP server with a users directory tree whose usernames are the same but without "pre", I mean they are jvoorhees, mjackson, sjobs, bgates, tcruis, etc.... [...]
Is this possible to do? Can I make a rule to supress the "pre" prefix before authentication against LDAP? If yes, where should I make this "rule": in the Linux box (ldap client) or in the LDAP Server?
You might be able to use some slapo-rwm(5) rules to change all "uid=preXXX,..." into "uid=XXX,..." server-side. To my eye this looks sort of evil and might violate the principle of least surprise. In particular, if you're Linux-specific, perhaps you could look into pam_regex which is designed for this sort of use case.
Another possibility might be "splitting the difference," running the slapo-rwm(5) rules inside of a local slapd(8), perhaps accessed via nssov, and keeping an upstream LDAP server without this mess.
I'd suggest you build a test environment, try all your options out and see what sticks...