[Fedora-directory-users] Specifying an all-inclusive User directory subtree?

[Rich Megginson]

FDS does not support this.  There has been some work done in this area 
though, and it can easily be supported via a plugin.  There are two 
example plug-ins included with the source code - 
http://cvs.fedora.redhat.com/lxr/dirsec/source/ldapserver/ldap/servers/slapd/test-plugins/ 
- the testdatainterop and testdbinterop plugins.  These implement the 
capability to intercept search requests directed at the 'null suffix' "".

Ideally, one would be able to configure the mapping tree (see the 
example code) and specify a list of suffixes to which access is allowed 
from a onelevel or subtree search from the "" suffix - you probably want 
searches to go into dc=yourdomain,dc=tld but not cn=schema or 
cn=config.  This would also allow for "global" inheritance - setting 
ACIs, groups, roles, etc. at the top level and having them apply to all 
suffixes.

Kevin Myer wrote:

>On initial configuration and later in the management console, you specify or use
>a "User directory subtree".  For a single organization, this may be easy to
>setup, but for ourselves, we manage directory entries for a variety of
>.k12.pa.us, .org, and .net domains.  So whats the best way of creating a view
>that encompasses all of those?  Is it possible to use a blank subtree, so that
>when I search for a user from within the management application, I can find
>them all, regardless of the domain components used?  Or are there better ways
>to handle this?
>
>Thanks,
>Kevin
>
>  
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3312 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20050728/3b42b817/attachment.bin>