wallet ldap question
Russ Allbery
rra at stanford.edu
Tue Aug 28 16:03:22 EDT 2012
Ross Smith <rjsm at umich.edu> writes:
> Instead of looking up the principle and checking an attribute, we would
> like to look up a key and check if an attribute contains the principle to
> grant access. e.g. our ldap is structured like below
> ou=,dn=,cn=,cn=my-wallet-group:
> member: uid=rjsm
> member: uid=foo
> member: uid=bar
Right, you have actual LDAP groups instead of entitlements. This is
actually the more natural way to do things, but our local environment is
weird, so I didn't write the code to do that.
> What is the best course of implementing something like this? I was
> planning to use the existing ldap-attr code as a starting point and
> implement this there?
That's what I'd do.
http://stackoverflow.com/questions/1032351/how-to-write-ldap-query-to-test-if-user-is-member-of-a-group
looks like the right way to construct the LDAP query to do a memberof
check.
(I'm hoping to get a wallet 1.0 release out in the next month or so.)
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list