On Mon, Sep 03, 2012 at 03:05:50PM +0200, Alexis GÜNST HORN wrote: > dc=example,dc=com > ou=Users > uid=user1 > uid=user2 > ou=Foo > uid=user3 > uid=user4 > ou=Groups > cn=... > cn=...
> What I want : > > * if i'm "Ou=Users" member, for example "user1", with pam_ldap > suffix : "dc=example,dc=com" : > > $ getent passwd > user1 > user2 > > > * if i'm "Ou=Foo" member, for example "user_b", with pam_ldap suffix > : "dc=example,dc=com" : > > $ getent passwd > user3 > user4 > > > Is it possible to do so without modifying the DIT structure ? (only > with ACL ?) Rather unlikely, as 'getent passwd' is a Unix/Linux command that gets to LDAP via NSS. The LDAP server will not know the identity of the end-user, so cannot return different results to different people. Further, most systems that use NSS LDAP have a cache/proxy process between the getent API and the LDAP client library. That means that the LDAP client library sees *all* requests coming from the same process and thus the same user ID. If your 'Foo' users and your 'Users' users are on separate machines then you could do something: move ou=Foo up alongside ou=Users and configure NSS/PAM on each machine to access just the relevant subtree. Andrew -- ----------------------------------------------------------------------- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 | -----------------------------------------------------------------------
