Russ Allbery <[email protected]> writes: > Ross Smith <[email protected]> writes:
>> What is the best course of implementing something like this? I was >> planning to use the existing ldap-attr code as a starting point and >> implement this there? > That's what I'd do. > http://stackoverflow.com/questions/1032351/how-to-write-ldap-query-to-test-if-user-is-member-of-a-group > looks like the right way to construct the LDAP query to do a memberof > check. Some more thoughts on this: You need to decide whether to store in the ACL the full DN of the group or to store in the configuration some way to construct the DN given the group name. I would lean towards the former; it's a little uglier, but it's the most general, in case you have groups in multiple DN stems. I would therefore lean towards an ACL syntax like: ldap-group cn=some-group,cn=groups,dc=example,dc=org (This is, in fact, exactly why the new LDAP ACL scheme is called ldap-attr and not just ldap; I knew we were going to need an ldap-group eventually.) You should then be able to reuse the existing code and configuration for how to map the authenticated user to a DN. Once you have the user's DN and the DN of the LDAP group (from the ACL information), you can then either do a memberof query (if you assume that the LDAP server has memberof support), or do something more complex where you do a compare to see if the group's member attribute contains the DN of the user. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
