Ross Smith <[email protected]> writes: > Instead of looking up the principle and checking an attribute, we would > like to look up a key and check if an attribute contains the principle to > grant access. e.g. our ldap is structured like below
> ou=,dn=,cn=,cn=my-wallet-group: > member: uid=rjsm > member: uid=foo > member: uid=bar Right, you have actual LDAP groups instead of entitlements. This is actually the more natural way to do things, but our local environment is weird, so I didn't write the code to do that. > What is the best course of implementing something like this? I was > planning to use the existing ldap-attr code as a starting point and > implement this there? That's what I'd do. http://stackoverflow.com/questions/1032351/how-to-write-ldap-query-to-test-if-user-is-member-of-a-group looks like the right way to construct the LDAP query to do a memberof check. (I'm hoping to get a wallet 1.0 release out in the next month or so.) -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
