Re: support for ldap_compare

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Arthur de Jong <arthur [at] arthurdejong.org>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Re: support for ldap_compare
Date: Fri, 15 Jul 2011 18:35:39 +0200

On Tue, 2011-07-05 at 10:24 +0200, Stefan Andersson wrote:
> Are there any plans to add ldap_comapre?, could be used to implement
> pam_authz_compare.

I wasn't aware of ldap_compare but patches for useful functionality are
welcome.

> A little background:
> We are using openldap with dynlist today for controlling access to
> hosts and that works with libpam-ldap and pam_groupdn because that one
> uses ldap_compare and not ldap_search as pam_authz_search do.
> Dynamic attributes are not visiable during search, they are added
> after all filtering is done.
> WIth pam_authz_search the filter I tested with looked like this
> (&(objectClass=groupOfURLs)(cn=server1)(uniqueMember=$dn))
> where uniqueMember is the dynamic attr.

Ok, that is interesting. I wasn't aware that these kind of attributes
cannot be searched.

Using ldap_compare on the DN's returned by pam_authz_search will be a
bit tricky, if only from the point of view to how to configure that in
nslcd.conf, perhaps the nicest would be to just use pam_groupdn and
pam_member_attribute from pam_ldap and do that test separately.

Anyway, patches like this are welcome.

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users

support for ldap_compare, Stefan Andersson
- Re: support for ldap_compare, Arthur de Jong

Prev by Date: Re: Question about map option
Next by Date: Re: Problem with PAM. ldap and su -
Previous by thread: support for ldap_compare
Next by thread: Question about map option