'[Proftpd-user] proftpd:mod_ldap:LDAPDoGIDLookups howto?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       proftpd-users
Subject:    [Proftpd-user] proftpd:mod_ldap:LDAPDoGIDLookups howto?
From:       Ken Johanson <proftpd () onnet ! cc>
Date:       2007-01-31 22:31:08
Message-ID: 45C118AC.1090304 () onnet ! cc
[Download RAW message or body]

Greetings,

I'd already asked this question but am trying to clarify it so that 
folks may be better able to understand.

Can anyone explain which mode LDAPDoGIDLookups runs in; does it do the 
group-lookup only by search with the user's 'gidNumber' attribute? Or, 
can it be configured to match group-ACLs against more-than-one LDAP 
group? In other words can it check all memberships a users has? (e.g one 
or more posixGroup entries that have the person's memberUid attribute)

So far, I have not been able match group ids other than my own singleton 
'gidNumber'.

Here are my relevant mod_ldap settings:

LDAPServer ldap01 ldap02
LDAPDoAuth on "ou=Users,dc=foo,dc=com" (|(uid=%v)(mail=%v)(cn=%v))
LDAPDoGIDLookups on "dc=foo,dc=com" 
(&(memberUid=%v)(objectclass=posixGroup))
LDAPAuthBinds                  on
LDAPDefaultUID                  504
LDAPForceDefaultUID             on
PersistentPasswd                off
LDAPAttr                        uid cn

(I am re-mapping cn to the UID because I use numeric CNs and also the 
same numeric ids in my proftpd ACLs)

I have tried several variations of LDAPDoGIDLookups but the following 
ACL only allows me to pass if the group ID is the same as my 
person-entry's gidNumber (26):

<Limit ALL>
Deny all
#AllowUser 18000
# OK:
AllowGroup 26
# FAILS although the posixgroup by that CN has a
# memebrUid attribute of 18000 (me):
#AllowGroup 5
</Limit>

Any advise on this would be much appreciated.

Thanks,
Ken



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
ProFTPD Users List   <proftpd-users@proftpd.org>
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic