(CCing the list)
On 09/07/12 17:02 +0200, David Rose wrote:
On 09/07/2012 04:17 PM, Dan White wrote:
> On 09/07/12 15:59 +0200, David Rose wrote:
>> Hi everyone,
>> Is anybody know if it's possible to define roles in OpenLDAP using
>> Here's the thing, we need to prevent some of our users to see
>> "everything". We need to filter results for some groups of users. But
>> we need these rules in the database (Postgres) to be able to change
>> them dynamically.
> Consider using the dynamic slapd-config backend instead. See chapters 5
> and 8 of the OpenLDAP Administrator's Guide.
We have a WebApp that stores all its data in Pg and we'd like to access
it using LDAP without having to replicate the database. And AFAIK
slapd-config and back-sql aren't compatible.
I don't know.
>> Problem is that, currently, when a user send a search query,
>> does not include in any way the DN of the user who made the query.
> That seems counterintuitive. Are your users binding anonymously? If so,
> don't do that.
None of our users are bind anonymously. They're logged in, LDAP knows
who's logged in, but doesn't tell Pg when a search query is passed.
How do they 'log in'. Do they bind using user credentials directly to the
LDAP server, or do they log in to a website? If the latter, then see if
your webapp supporting binding *using the user's credentials* when querying
the ldap server. Or see if it supports binding with an authz identity
matching the user.