python-ldap-dev

edirectory question

[Mike D. <mi...@de...>]

Hi all - I couldn't find my answer in your archives so I joined the 
list. Thanks for being here.

Background

I'm new to most of this but I managed to configure (for testing) a local 
Novell eDirectory 8.7 LDAP service to respond to a remote request for 
authentication. The client is a php website which requires auth and 
which was built by someone else. I provided the bind user and I can 
create my own local eDirectory users and successfully log them in to the 
website.

The problem

The website owner has a large tree of Novell servers whereas my test 
setup is a single server. We now wish to point the php website at the 
large tree so that vast numbers of employees can login using their 
Novell credentials. The problem is that the credentials are spread over 
a number of org/org units like this ...

maintree
     central (o)
         binduser (cn)
     suburbs (o)
         footscray (ou)
             users (cn)s
         glenroy (ou)
             moreusers (cn)
         bayside (ou)

... and when I try to configure my own eDirectory in a similar 
structure, the binduser cannot find credentials outside its own container.

I can solve the problem by creating an alias object named identically 
for the user in the other container but this is totally unwieldy from 
the viewpoint of the sheer numbers of users. It would be awful to do 
that if there was another way.

Question

Is there another way?

Thanks

Mike

Re: edirectory question

[Yeargan, Y. <ya...@un...>]

Your question is really about Novell eDirectory, not the Python LDAP module; so I will provide a brief answer here and you may contact me directly for more eDirectory information. However, I would first make sure that the LDAP search base parameter is set to either "o=central" or "o=suburbs".

To begin, you will not need an alias. The default eDirectory LDAP configuration allows anonymous LDAP binds, so a 'bind user' may not be strictly necessary either.  If you do authenticate in order to perform a search for the user's account, eDirectory also defaults to every user being able to browse the structure of the tree.  It should be possible to find a user account by the CN value (or 'sn' or 'givenName') simply using the default configuration and security permissions.  If your search involves another attribute that is not publicly visible, then you may need to grant additional directory permissions to the 'bind user'. 

That's all I will say here. Feel free to contact me directly for more information about Novell eDirectory.

Yancey




On Mar 11, 2010, at 10:25 PM, Mike Dewhirst wrote:

> Hi all - I couldn't find my answer in your archives so I joined the 
> list. Thanks for being here.
> 
> Background
> 
> I'm new to most of this but I managed to configure (for testing) a local 
> Novell eDirectory 8.7 LDAP service to respond to a remote request for 
> authentication. The client is a php website which requires auth and 
> which was built by someone else. I provided the bind user and I can 
> create my own local eDirectory users and successfully log them in to the 
> website.
> 
> The problem
> 
> The website owner has a large tree of Novell servers whereas my test 
> setup is a single server. We now wish to point the php website at the 
> large tree so that vast numbers of employees can login using their 
> Novell credentials. The problem is that the credentials are spread over 
> a number of org/org units like this ...
> 
> maintree
>     central (o)
>         binduser (cn)
>     suburbs (o)
>         footscray (ou)
>             users (cn)s
>         glenroy (ou)
>             moreusers (cn)
>         bayside (ou)
> 
> ... and when I try to configure my own eDirectory in a similar 
> structure, the binduser cannot find credentials outside its own container.
> 
> I can solve the problem by creating an alias object named identically 
> for the user in the other container but this is totally unwieldy from 
> the viewpoint of the sheer numbers of users. It would be awful to do 
> that if there was another way.
> 
> Question
> 
> Is there another way?
> 
> Thanks
> 
> Mike
> 
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Python-LDAP-dev mailing list
> Pyt...@li...
> https://lists.sourceforge.net/lists/listinfo/python-ldap-dev

Re: edirectory question

[Michael S. <mi...@st...>]

Yeargan, Yancey wrote:
> 
> Your question is really about Novell eDirectory, not the Python LDAP module;

That's definitely related to Novell eDirectory.

I vaguely remember that some eDirectory allowed searching with an empty search
root. Not sure but worth a short test.

Ciao, Michael.

Re: edirectory question

[Mike D. <mi...@de...>]

Thanks all - much appreciated

Mike


On 13/03/2010 2:17am, Michael Ströder wrote:
> Yeargan, Yancey wrote:
>>
>> Your question is really about Novell eDirectory, not the Python LDAP module;
>
> That's definitely related to Novell eDirectory.
>
> I vaguely remember that some eDirectory allowed searching with an empty search
> root. Not sure but worth a short test.
>
> Ciao, Michael.
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Python-LDAP-dev mailing list
> Pyt...@li...
> https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
>
>