I am a really lost here and would appreciate some help.
My organization already maintains an OpenLDAP server which allows read-only access
Running this gives me an entire dump of all the users and groups and OUs in my organization.
ldapsearch -x -b dc=corp,dc=ORG,dc=com -H ldap://xx.eng.yy.ORG.com
This is good, now I have the organization hierarchy in my hand.
Next, I want to create an OpenLDAP server and have this server "override" groups that are not present in the parent OpenLDAP server, so for example in the Parent/Main LDAP server:
There is an OU=support in which there's 100s of users. I want to add more granularity to these users.
What I would like to do on my CHILD LDAP server is:
- Create a new group named
Support-NewHires - Add a small number of users from
OU=supportin this new group.
So when I use CHILD ldap server anywhere and login as one of the users in Support-NewHires, the LDAP query will be forwarded to the PARENT LDAP server (for passwords) but the permissions would be set according to where I configured Support-NewHires to access.
Lets say John is a new hire in OU=Support and Jane is a veteran in OU=Support.
So, I add John to OU=Support-NewHires
Now I have an application with LDAP integration (VMware vCenter), I would integrate with CHILD LDAP server.
I will set restricted Access Controls for OU=Support-NewHires group and Full Control access to OU=Support group
Now when John logs in, he will see the restricted view, but if Jane logs in she will get the unrestricted view.
I wont have to deal with storing any of their passwords or other details, just their UID=
Note that I do not have write permissions to access PARENT LDAP server.
