Hi,
My company maintains an openldap server which stores the information of all the employees. All company internal systems authenticate with it when users login.
My department is responsible for software developing/testing and divided into many teams. I want to add the employees of my department to corresponding team in openldap so that I can manage user permission based on teams in jira/confluence/gerrit/gitlab/svn/jenkins and so on. However, I have no permission to add team or group to company openldap server.
My plan is to : 1. set up a new openldap server inside my department. 2. synchronize the user data necessary from the company openldap server to my department openldap server. 3. create groups in department openldap server. 4. add users to corresponding group in department openldap server. 5. jira/confluence/gerrit/gitlab/svn/jenkins with authenticate with department openldap server instead of the company one.
How to configure openldap to achieve this?I have googled for two days about replication/meta-directory, but still have no idea. BTW, I know Jira have similar functionality and can authenticate for confluence, but Jira can not authenticate for other sofeware such as gerrit/gitlab/svn/jenkins. Any help is appreciated.
BRs, Liansheng
--On Wednesday, November 4, 2020 9:33 PM +0800 张连生 lianszhang@163.com wrote:
How to configure openldap to achieve this?
You can't. What it would most likely take is:
a) A full dump of the company database in LDIF format b) Import that in your system c) Add your data d) Develop your own process for updating the user data in your server from the company openldap.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Thank you for the confirmation. I am talking to company ldap guys and discussing your suggestions.
Much appreciated.
At 2020-11-06 08:33:35, "Quanah Gibson-Mount" quanah@symas.com wrote:
--On Wednesday, November 4, 2020 9:33 PM +0800 张连生 lianszhang@163.com wrote:
How to configure openldap to achieve this?
You can't. What it would most likely take is:
a) A full dump of the company database in LDIF format b) Import that in your system c) Add your data d) Develop your own process for updating the user data in your server from the company openldap.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Dears,
Assume there are several entries uner the "people" directory. uid=User1,ou=people,dc=migu,dc=com uid=User2,ou=people,dc=migu,dc=com uid=User3,ou=people,dc=migu,dc=com uid=User4,ou=people,dc=migu,dc=com
A posix group contains User1 and User2: dn: cn=admin,ou=group,dc=migu,dc=com objectClass: posixGroup memberUid: User1 memberUid: User2
I need a permission to allow the members of "admin" (here User1 & User2) login while others can not. What's the access list would be like?
I tried following, but not work. access to dn="[uid=] + ([cn=admin,ou=group,dc=migu,dc=com])/memberUid + [,ou=people,dc=migu,dc=com]" by anonymous auth
also tries following, not work either. access to dn="cn=admin,ou=group,dc=migu,dc=com" attrs=member,enrty by anonymous auth
Appreciated for any help.
BRs Liansheng
--On Wednesday, November 18, 2020 4:05 PM +0800 张连生 lianszhang@163.com wrote:
also tries following, not work either.
The ability to authenticate to LDAP requires "auth" privileges to the userPassword attribute (for simple binds, at least). Since any incoming connection has *not yet authenticated*, ALL simple binds start out as anonymous. Thus what you're asking is literally impossible, because it requires *post authentication knowledge*.
To do what you are asking, you need to do something more like:
access to filter=(accountstatus=active) attrs=userPassword by anonymous auth
This assumes you have an attribute in the entry named "accountstatus".
If you used standard LDAP groups (such as groupOfNames), and implemented "memberOf" capabilities, then you could do something like:
access to filter=(memberOf=cn=admin,ou=group,dc=migu,dc=com) attrs=userPassword by anonymous auth
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
openldap-technical@openldap.org
-
Quanah Gibson-Mount -
张连生