Hello,
I'm trying to use our corporate openldap server for authentication to an application server (Github Enterprise) that does not support any "memberof" filters for allowed users.
As a workaround, I am looking into a translucent proxy server that would only return a subset of users. Github Enterprise would only "see" a few hundred users instead of thousands. Is this doable? Is there a better solution?
Joel Eidsath
I'm trying to use our corporate openldap server for authentication to an application server (Github Enterprise) that does not support any "memberof" filters for allowed users.
As a workaround, I am looking into a translucent proxy server that would only return a subset of users. Github Enterprise would only "see" a few hundred users instead of thousands. Is this doable? Is there a better solution?
Or you could use back-ldap too.
As a workaround, I am looking into a translucent proxy server that would only return a subset of users. Github Enterprise would only "see" a few hundred users instead of thousands. Is this doable? Is there a better solution?
Or you could use back-ldap too.
Sorry, hit send too soon. What does GitHub support re groups? I tried to see their docs but the only have a small public FAQ.
I was thinking that you could use back-ldap and then the dynlist list overlay to create your own dynamic groups, but I don't know what you entries or DIT looks like.
The problem with translucent is the management moving forward.
Thanks.
On Fri, 27 Jul 2012, Joel Eidsath wrote:
Hello, I'm trying to use our corporate openldap server for authentication to an application server (Github Enterprise) that does not support any "memberof" filters for allowed users.
As a workaround, I am looking into a translucent proxy server that would only return a subset of users. Github Enterprise would only "see" a few hundred users instead of thousands. Is this doable? Is there a better solution?
You could certainly work on an appropriate back-{ldap,relay,etc} configuration, but it's probably needless weight. Assuming the client supports a bindDN, I'd consider creating an ACL that only allows access to "a subset of users" that's desired and disallows !subset users. Oversimplified:
access to * group.expand="cn=githubgroup" by "cn=githubbinddn" read access to * by "cn=githubbinddn" none
Le 30/07/2012 16:45, Aaron Richton a écrit :
On Fri, 27 Jul 2012, Joel Eidsath wrote:
Hello, I'm trying to use our corporate openldap server for authentication to an application server (Github Enterprise) that does not support any "memberof" filters for allowed users.
As a workaround, I am looking into a translucent proxy server that would only return a subset of users. Github Enterprise would only "see" a few hundred users instead of thousands. Is this doable? Is there a better solution?
You may use ACLs, if you have a filtering critera. For instance, to exclude users without a telephone number attribute:
access to dn.children="ou=users,dc=domain,dc=com" filter=(!(telephoneNumber=*)) by anonymous peername.ip=w.x.y.z none by dn.exact="cn=github,ou=roles,dc=domain,dc=com" none by * break
openldap-technical@openldap.org
-
Aaron Richton -
Gavin Henry -
Guillaume Rousse -
Joel Eidsath