On Fri, Mar 22, 2013 at 08:04:08AM -0400, Dmitri Pal wrote:
> In IPA/389 each user has a full list of the DNs of the groups he is a
> member of.
> Also the member attribute in the group is the list of DNs of all members
> and member groups.
> IPA/389 supports a dereference control.
> But the question is: what are you trying to accomplish?
I'm trying to get a RHEL5 server with Apache 2.2 to use LDAP to
authenticate users, and only let the users of select groups have access.
This is configured trough mod_authnz_ldap:
The problem I have is that we want to give access to nested groups, and
this doesn't seem possible with mod_authnz_ldap in apache 2.2 (v2.4
supports nesting, not 2.2).
Require ldap-group cn=tvadmins, cn=groups, cn=accounts, dc=example,
Require ldap-group cn=nocdrift, cn=groups, cn=accounts, dc=example,
Require ldap-group cn=systemdrift, cn=groups, cn=accounts, dc=example,
This doesn't work with nested groups, and it's something like that
commented out ldap-filter I'm looking for as a solution..
> If you need to check whether the user is a member of the group it is a
> simple search using member attribute as a filter.
Could you give me an example of such a filter?
Freeipa-users mailing list