9:56 a.m.
Hello,
I'm trying to use our corporate openldap server for authentication to an
application server (Github Enterprise) that does not support any "memberof"
filters for allowed users.
As a workaround, I am looking into a translucent proxy server that would
only return a subset of users. Github Enterprise would only "see" a few
hundred users instead of thousands. Is this doable? Is there a better
solution?
Joel Eidsath
1:23 a.m.
I'm trying to use our corporate openldap server for
authentication to an
application server (Github Enterprise) that does not support any "memberof"
filters for allowed users.
As a workaround, I am looking into a translucent proxy server that would
only return a subset of users. Github Enterprise would only "see" a few
hundred users instead of thousands. Is this doable? Is there a better
solution?
Or you could use back-ldap too.
--
Kind Regards,
Gavin Henry.
Managing Director.
T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E ghenry(a)suretecsystems.com
Open Source. Open Solutions(tm).
http://www.suretecsystems.com/
Suretec Systems is a limited company registered in Scotland. Registered
number: SC258005. Registered office: 24 Cormack Park, Rothienorman, Inverurie,
Aberdeenshire, AB51 8GL.
Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html
Do you know we have our own VoIP provider called SureVoIP? See
http://www.surevoip.co.uk
Did you see our API news?
http://www.surevoip.co.uk/news-events/surevoip-launches-innovative-api
2:19 a.m.
> As a workaround, I am looking into a translucent proxy server
that would
> only return a subset of users. Github Enterprise would only "see" a few
> hundred users instead of thousands. Is this doable? Is there a better
> solution?
Or you could use back-ldap too.
Sorry, hit send too soon. What does GitHub support re groups? I tried
to see their
docs but the only have a small public FAQ.
I was thinking that you could use back-ldap and then the dynlist list
overlay to create
your own dynamic groups, but I don't know what you entries or DIT looks like.
The problem with translucent is the management moving forward.
Thanks.
--
Kind Regards,
Gavin Henry.
Managing Director.
T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E ghenry(a)suretecsystems.com
Open Source. Open Solutions(tm).
http://www.suretecsystems.com/
Suretec Systems is a limited company registered in Scotland. Registered
number: SC258005. Registered office: 24 Cormack Park, Rothienorman, Inverurie,
Aberdeenshire, AB51 8GL.
Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html
Do you know we have our own VoIP provider called SureVoIP? See
http://www.surevoip.co.uk
Did you see our API news?
http://www.surevoip.co.uk/news-events/surevoip-launches-innovative-api
7:45 a.m.
On Fri, 27 Jul 2012, Joel Eidsath wrote:
Hello, I'm trying to use our corporate openldap server for
authentication to an application server (Github Enterprise) that does
not support any "memberof" filters for allowed users.
As a workaround, I am looking into a translucent proxy server that would
only return a subset of users. Github Enterprise would only "see" a few
hundred users instead of thousands. Is this doable? Is there a better
solution?
You could certainly work on an appropriate back-{ldap,relay,etc}
configuration, but it's probably needless weight. Assuming the client
supports a bindDN, I'd consider creating an ACL that only allows access to
"a subset of users" that's desired and disallows !subset users.
Oversimplified:
access to * group.expand="cn=githubgroup" by "cn=githubbinddn" read
access to * by "cn=githubbinddn" none
10:47 a.m.
Le 30/07/2012 16:45, Aaron Richton a écrit :
On Fri, 27 Jul 2012, Joel Eidsath wrote:
> Hello, I'm trying to use our corporate openldap server for
> authentication to an application server (Github Enterprise) that does
> not support any "memberof" filters for allowed users.
>
> As a workaround, I am looking into a translucent proxy server that
> would only return a subset of users. Github Enterprise would only
> "see" a few hundred users instead of thousands. Is this doable? Is
> there a better solution?
You may use ACLs, if you have a filtering critera. For
instance, to
exclude users without a telephone number attribute:
access to dn.children="ou=users,dc=domain,dc=com"
filter=(!(telephoneNumber=*))
by anonymous peername.ip=w.x.y.z none
by dn.exact="cn=github,ou=roles,dc=domain,dc=com" none
by * break
--
BOFH excuse #79:
Look, buddy: Windows 3.1 IS A General Protection Fault.
4142
days inactive
4145
days old
openldap-technical@openldap.org
4 comments
4 participants
participants (4)
-
Aaron Richton -
Gavin Henry -
Guillaume Rousse -
Joel Eidsath