wallet ldap question

Russ Allbery rra at stanford.edu
Tue Aug 28 16:03:22 EDT 2012


Ross Smith <rjsm at umich.edu> writes:

> Instead of looking up the principle and checking an attribute, we would
> like to look up a key and check if an attribute contains the principle to
> grant access.   e.g. our ldap is structured like below

> ou=,dn=,cn=,cn=my-wallet-group:
>                  member: uid=rjsm
>                  member: uid=foo
>                  member: uid=bar

Right, you have actual LDAP groups instead of entitlements.  This is
actually the more natural way to do things, but our local environment is
weird, so I didn't write the code to do that.

> What is the best course of implementing something like this?  I was
> planning to use the existing ldap-attr code as a starting point and
> implement this there?

That's what I'd do.

http://stackoverflow.com/questions/1032351/how-to-write-ldap-query-to-test-if-user-is-member-of-a-group

looks like the right way to construct the LDAP query to do a memberof
check.

(I'm hoping to get a wallet 1.0 release out in the next month or so.)

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>


More information about the Kerberos mailing list