Hi everyone,
Is anybody know if it's possible to define roles in OpenLDAP using back-sql?
Here's the thing, we need to prevent some of our users to see "everything". We need to filter results for some groups of users. But we need these rules in the database (Postgres) to be able to change them dynamically.
Problem is that, currently, when a user send a search query, OpenLDAP does not include in any way the DN of the user who made the query. As a result we have trouble creating scopes by user/group.
Thanks
On 09/07/12 15:59 +0200, David Rose wrote:
Hi everyone,
Is anybody know if it's possible to define roles in OpenLDAP using back-sql?
Here's the thing, we need to prevent some of our users to see "everything". We need to filter results for some groups of users. But we need these rules in the database (Postgres) to be able to change them dynamically.
Consider using the dynamic slapd-config backend instead. See chapters 5 and 8 of the OpenLDAP Administrator's Guide.
Problem is that, currently, when a user send a search query, OpenLDAP does not include in any way the DN of the user who made the query.
That seems counterintuitive. Are your users binding anonymously? If so, don't do that.
As a result we have trouble creating scopes by user/group.
On 09/07/2012 04:17 PM, Dan White wrote:
On 09/07/12 15:59 +0200, David Rose wrote:
Hi everyone,
Is anybody know if it's possible to define roles in OpenLDAP using back-sql?
Here's the thing, we need to prevent some of our users to see "everything". We need to filter results for some groups of users. But we need these rules in the database (Postgres) to be able to change them dynamically.
Consider using the dynamic slapd-config backend instead. See chapters 5 and 8 of the OpenLDAP Administrator's Guide.
We have a WebApp that stores all its data in Pg and we'd like to access it using LDAP without having to replicate the database. And AFAIK slapd-config and back-sql aren't compatible.
Problem is that, currently, when a user send a search query, OpenLDAP does not include in any way the DN of the user who made the query.
That seems counterintuitive. Are your users binding anonymously? If so, don't do that.
None of our users are bind anonymously. They're logged in, LDAP knows who's logged in, but doesn't tell Pg when a search query is passed.
As a result we have trouble creating scopes by user/group.
On Fri, 7 Sep 2012, David Rose wrote:
Hi everyone,
Is anybody know if it's possible to define roles in OpenLDAP using back-sql?
Here's the thing, we need to prevent some of our users to see "everything". We need to filter results for some groups of users. But we need these rules in the database (Postgres) to be able to change them dynamically.
Problem is that, currently, when a user send a search query, OpenLDAP does not include in any way the DN of the user who made the query. As a result we have trouble creating scopes by user/group.
Thanks
Not specific to back-sql, but if you need access control on the basis of the current bind DN, explore sets (OpenLDAP Admin Guide sec 8.5) relative to "user/dn" (IIRC "dn" is default so just "user" can be written, as seen in the admin guide examples).
You might be better off making some dummy data with a set ACL along the lines of test006 (stored with back-hdb or similar), then figuring out the appropriate back-sql views as a second step.
openldap-technical@openldap.org
-
Aaron Richton -
Dan White -
David Rose