[TriLUG] OpenLDAP Question
David Brain
dbrain at gmail.com
Tue Aug 9 20:19:10 EDT 2011
Matt,
I believe that what you propose would work, _if_ the LDAP directory
could be structured this way (there's a difference between an group
and an OU, and I'm not seeing a way of creating an OU in free-ipa),
also there are other applications dependent on the current 'flat'
structure of the directory.
Thanks,
David.
On Tue, Aug 9, 2011 at 7:27 PM, Matt Pusateri
<mpusateri at wickedtrails.com> wrote:
> Why can't you just create a group asa_users and then specify that in the base dn, like ou=asausers,dc=example, dc=com. Then add everyone to that group. Yes it would be a pain to maintain a separate list just for that, but it should work. I really can't believe that an ASA can't traverse the ldap tree.
>
> Matt P.
>
> On Aug 4, 2011, at 9:41 PM, David Brain wrote:
>
>> Hi,
>>
>> So the client device (Cisco ASA) has rather limited LDAP functionality
>> - I'm only allowd a basedn and a field that becomes a filter for
>> 'uid=<nameyoutypedin>' - there's no (obvious at least to me) way to
>> specify additional filters - if I could I'd just solve the whole thing
>> with a memberOf=<specialgroup>.
>>
>> At the other end directory is openldap (well free-ipa) which doesn't
>> seem to allow for much in the way of anything other than groups, and I
>> can't make any changes there anyway much as it's a live system with
>> other dependents.
>>
>> David.
>>
>> On Thu, Aug 4, 2011 at 7:16 PM, Matt Pusateri
>> <mpusateri at wickedtrails.com> wrote:
>>> I'm still trying to figure out what the problem of the device is? Can it not traverse the ldap tree and do sub searches? I assume there is some interface for adding the ldap server config and some point in the ldap tree to bind to? A little more info on how it's setup and what fields you can populate might help.
>>>
>>> Matt P.
>>> On Aug 3, 2011, at 11:40 AM, David Brain wrote:
>>>
>>>> Hi,
>>>>
>>>> Slightly off topic - but thought this might be as good a place to ask
>>>> this as any..
>>>>
>>>> Is it possible to set up a proxy OpenLDAP server that serves a 'view'
>>>> of it's backend server's data based on an LDAP filter? I'm trying to
>>>> get a reluctant network device to auth through LDAP, and all would be
>>>> well if it could just use a filter, however as it's a closed system
>>>> it's just not possible, so my first thought for a solution is to run a
>>>> proxy LDAP server that 'pre-filters' the data.
>>>>
>>>> Any thoughts or alternate solutions welcomed...
>>>>
>>>> David.
>>>> --
>>>> This message was sent to: M. Pusateri <mpusateri at wickedtrails.com>
>>>> To unsubscribe, send a blank message to trilug-leave at trilug.org from that address.
>>>> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
>>>> Unsubscribe or edit options on the web : http://www.trilug.org/mailman/options/trilug/mpusateri%40wickedtrails.com
>>>> TriLUG FAQ : http://www.trilug.org/wiki/Frequently_Asked_Questions
>>>
>>> --
>>> This message was sent to: dbrain at gmail.com <dbrain at gmail.com>
>>> To unsubscribe, send a blank message to trilug-leave at trilug.org from that address.
>>> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
>>> Unsubscribe or edit options on the web : http://www.trilug.org/mailman/options/trilug/dbrain%40gmail.com
>>> TriLUG FAQ : http://www.trilug.org/wiki/Frequently_Asked_Questions
>>>
>> --
>> This message was sent to: M. Pusateri <mpusateri at wickedtrails.com>
>> To unsubscribe, send a blank message to trilug-leave at trilug.org from that address.
>> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
>> Unsubscribe or edit options on the web : http://www.trilug.org/mailman/options/trilug/mpusateri%40wickedtrails.com
>> TriLUG FAQ : http://www.trilug.org/wiki/Frequently_Asked_Questions
>
> --
> This message was sent to: dbrain at gmail.com <dbrain at gmail.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web : http://www.trilug.org/mailman/options/trilug/dbrain%40gmail.com
> TriLUG FAQ : http://www.trilug.org/wiki/Frequently_Asked_Questions
>
More information about the TriLUG
mailing list