vlad florentino wrote: > LDAP Server: OpenLDAP 2.4.24 > > Linux Distro: Fedora 15 > > (I believe this question is generally about returning properties in > subentries, when performing searches on a parent entry, in a way that's
You mean "child entries" not "subentries". > transparent to clients making the requests. However, I have worded my question > to be based on my specific usecase.) > > ------------------------------------------------------------------------------ > > Hi, > > I have successfully configure the Linux sssd service to fetch user loging > information from an LDAP directory service (which happens to be in the same > machine). The file to configure for this lives at /etc/sssd/sssd.conf > > I have tested that I can create a linux user account in the LDAP directory, by > creating an entry under the relevant DN. That node includes the objectClass > 'posixAccount'. > > |ou=people > | > - uid=1000 # This entry has the objectClass 'posixAccount' > | > > performing a: > > |getent passwd | grep the-ldap-based-linux-username > | > > yields correct information. > > Now, for my problem: > > I'm trying to configure the LDAP directory such that credentials information > is not duplicated. I would like to define the entries like so: > > |ou=people > | > - uid=1000 # No possixAccount objectClass > | > + cn=contact-info # contact stuff ... > - cn=account # contains subtrees for account related stuff. > | > - cn=credentials # Fields: uid, userPassword, uidNumber, gidNumber > - cn=linux-account # Fields: homeDirectory, loginShell, ... > - cn=windows-account # Fields: winHomeDirectory, sambaServerUrl, ... > - cn=samba-account # Fields: space-quota, ... > | > > The point of what I'm trying to accomplish is that when ldap clients, such as > the Linux sssd deamon, perform an account info search/fetch, they do so at the > following node (not at it's subnodes): > > | cn=account,uid=1000,ou=people > | > > And that, somehow, the OpenLDAP server would know to combine the info > contained in the relevant subentries of cn=account, and return those to the > client, as if those extries existed at cn=account. > > This would work, of course, if I were to place all the info at the cn=account > node. But, that's what I'm trying to avoid. > > I've try a few things, which have all been unsuccessful. > > Is it possible to do this with OpenLDAP (or LDAP in general)? If so, how? That is not a feature of LDAP. Nor is this a typical usage. Why are you partitioning the data like this, it looks like you're thinking of SQL. All of the account info should simply be in the single entry. > Regards, > > Vlad > > ------------------------------------------------------------------------------ > > PS: > > A trick that I've found useful, and which can help in the final solution to > the problem, is that the sssd deamon allows one to configure the name of the > 'posixAccount'-like objectClass that it should use to locate account info. I > noticed that I can tell it do look for a certain class, say c-linux-account, > which I then define as an empty auxilary class. The daemon will successfully > find entries, which contain this class. Then, if those entries contain > properties named uid, userPassword, homeDirectory, etc, it will use those > properties for their values. So, I can add that property to cn=account, and > the deamon will find that entry correctly. I just now have to tell OpenLDAP to > combine the entries below that node, and return them in the query. > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
