wallet ldap question

Russ Allbery rra at stanford.edu
Tue Aug 28 16:18:14 EDT 2012


Russ Allbery <rra at stanford.edu> writes:
> Ross Smith <rjsm at umich.edu> writes:

>> What is the best course of implementing something like this?  I was
>> planning to use the existing ldap-attr code as a starting point and
>> implement this there?

> That's what I'd do.

> http://stackoverflow.com/questions/1032351/how-to-write-ldap-query-to-test-if-user-is-member-of-a-group

> looks like the right way to construct the LDAP query to do a memberof
> check.

Some more thoughts on this:

You need to decide whether to store in the ACL the full DN of the group or
to store in the configuration some way to construct the DN given the group
name.  I would lean towards the former; it's a little uglier, but it's the
most general, in case you have groups in multiple DN stems.

I would therefore lean towards an ACL syntax like:

    ldap-group cn=some-group,cn=groups,dc=example,dc=org

(This is, in fact, exactly why the new LDAP ACL scheme is called ldap-attr
and not just ldap; I knew we were going to need an ldap-group eventually.)

You should then be able to reuse the existing code and configuration for
how to map the authenticated user to a DN.  Once you have the user's DN
and the DN of the LDAP group (from the ACL information), you can then
either do a memberof query (if you assume that the LDAP server has
memberof support), or do something more complex where you do a compare to
see if the group's member attribute contains the DN of the user.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>


More information about the Kerberos mailing list