Taha Ozket wrote:
> Hi,
>
> I have a ldap group, "pgsql-developers". I have an user (user1) member
> of this group;
>
> group
> dn: cn=pgsql-developers,ou=Groups,o=Dep,dc=x,dc=x,dc=x
> objectClass: groupOfUniqueNames
> objectClass: top
> cn: SVN Committers
> uniqueMember: uid=user1,ou=Users,o=Dep,dc=x,dc=x,dc=x
>
> user
> dn: uid=user1,ou=Users,o=Dep,dc=x,dc=x,dc=x
> objectClass: person
> objectClass: top
> objectClass: uidObject
> cn:: Denem1
> sn:: Deneme2
> uid: user1
> userPassword:: e01ENX10WnhudnhscVIxZ1pIa0wzWm5ET3VnPT0=
>
> I added this line to pg_hba.conf [1]
>
> host all all 172.20.0.0/16 ldap
>
"ldap://localhost/basedn;cn=;,cn=pgsql-developers,ou=Groups,o=Dep,dc=x,dc=x,dc=x"
>
> But now postgresql requires my user1 must be define under
> cn=pgsql-developers,ou=Groups.. But I want to give login permission to
> pgsql-developers members.
>
> How can I change this line for give login permission to
> pgsql-developers members?
This is not something you currently can do. We can only do LDAP
authentication, not authorization. There's no way to restrict it to a
particular group.
One way to accomplish what you're trying to do is to have a script that
synchronizes the members of the group to PostgreSQL accounts (account
name and role member****p only), and still use LDAP for authentication.
It doesn't work in every case, but it does work in most.
//Magnus
--
Sent via pgsql-general mailing list (pgsql-general@[EMAIL PROTECTED]
)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
|
