RSS feed

Re: support for ldap_compare

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: support for ldap_compare

On Tue, 2011-07-05 at 10:24 +0200, Stefan Andersson wrote:
> Are there any plans to add ldap_comapre?, could be used to implement
> pam_authz_compare.

I wasn't aware of ldap_compare but patches for useful functionality are

> A little background:
> We are using openldap with dynlist today for controlling access to
> hosts and that works with libpam-ldap and pam_groupdn because that one
> uses ldap_compare and not ldap_search as pam_authz_search do.
> Dynamic attributes are not visiable during search, they are added
> after all filtering is done.
> WIth pam_authz_search the filter I tested with looked like this
> (&(objectClass=groupOfURLs)(cn=server1)(uniqueMember=$dn))
> where uniqueMember is the dynamic attr.

Ok, that is interesting. I wasn't aware that these kind of attributes
cannot be searched.

Using ldap_compare on the DN's returned by pam_authz_search will be a
bit tricky, if only from the point of view to how to configure that in
nslcd.conf, perhaps the nicest would be to just use pam_groupdn and
pam_member_attribute from pam_ldap and do that test separately.

Anyway, patches like this are welcome.

-- arthur - - --
To unsubscribe send an email to or see