On Mon, Sep 03, 2012 at 03:05:50PM +0200, Alexis GÜNST HORN wrote:

dc=example,dc=com ou=Users uid=user1 uid=user2 ou=Foo uid=user3 uid=user4 ou=Groups cn=... cn=...

What I want :

• if i'm "Ou=Users" member, for example "user1", with pam_ldap

suffix : "dc=example,dc=com" :

$ getent passwd user1 user2

• if i'm "Ou=Foo" member, for example "user_b", with pam_ldap suffix

: "dc=example,dc=com" :

$ getent passwd user3 user4

Is it possible to do so without modifying the DIT structure ? (only with ACL ?)

Rather unlikely, as 'getent passwd' is a Unix/Linux command that gets to LDAP via NSS. The LDAP server will not know the identity of the end-user, so cannot return different results to different people.

Further, most systems that use NSS LDAP have a cache/proxy process between the getent API and the LDAP client library. That means that the LDAP client library sees *all* requests coming from the same process and thus the same user ID.

If your 'Foo' users and your 'Users' users are on separate machines then you could do something: move ou=Foo up alongside ou=Users and configure NSS/PAM on each machine to access just the relevant subtree.

Andrew