Hi,
In phpldapadmin 1.1.0.4, is there a way to restrict login by
(ldap-backed) UNIX group ID? Our UNIX passwd and group databases are in
LDAP (thanks to PLA!). I would like for members of the 'sa' group to be
able to authenticate to PLA and do user and host database maintenance.
A simple OpenLDAP ACL won't work. There is no information in the user's
dn, by itself, that authorizes it as a member of the sa group. The sa
group's dn contains the list of memberUids to authorize, but of course
lacks any password information to authenticate against. This leaves
options built into PLA.
It looks like the PLA 'allowed_dns' parameter won't work. An LDAP
filter against a group dn doesn't return a dn, only a UNIX UID. (In
postfix, for example, the config file allows a hack to make this
possible: one can transform a UID into a dn with "result_format =
uid=%s,ou=people,dc=foobar,dc=com"). The other 'allowed_dns'
alternative, a list of individual user dns in config.php, would need to
be manually kept in sync with the sa group, inconvenient and error-prone.
Finally, there's SASL, which I don't understand, and haven't found very
comprehensive documentation for yet. It appears that it is simple for
SASL to authenticate either against an LDAP dn or a PAM user. However,
I haven't figured out yet whether it's even possible to authorize only
those dns whose uidNumber is a member of the sa dn's memberUid list, or
to authorize only those UNIX users who belong to the sa UNIX group.
Has anyone done this before, or know whether it's possible? Just a
pointer in the right direction, or an authoritative "uh uh, can't be
done" would help. Thanks-
John
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
phpldapadmin-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/phpldapadmin-users
