edirectory question

Yeargan, Yancey yancey at unt.edu
Fri Mar 12 06:32:46 CET 2010

Your question is really about Novell eDirectory, not the Python LDAP module; so I will provide a brief answer here and you may contact me directly for more eDirectory information. However, I would first make sure that the LDAP search base parameter is set to either "o=central" or "o=suburbs".

To begin, you will not need an alias. The default eDirectory LDAP configuration allows anonymous LDAP binds, so a 'bind user' may not be strictly necessary either.  If you do authenticate in order to perform a search for the user's account, eDirectory also defaults to every user being able to browse the structure of the tree.  It should be possible to find a user account by the CN value (or 'sn' or 'givenName') simply using the default configuration and security permissions.  If your search involves another attribute that is not publicly visible, then you may need to grant additional directory permissions to the 'bind user'. 

That's all I will say here. Feel free to contact me directly for more information about Novell eDirectory.


On Mar 11, 2010, at 10:25 PM, Mike Dewhirst wrote:

> Hi all - I couldn't find my answer in your archives so I joined the 
> list. Thanks for being here.
> Background
> I'm new to most of this but I managed to configure (for testing) a local 
> Novell eDirectory 8.7 LDAP service to respond to a remote request for 
> authentication. The client is a php website which requires auth and 
> which was built by someone else. I provided the bind user and I can 
> create my own local eDirectory users and successfully log them in to the 
> website.
> The problem
> The website owner has a large tree of Novell servers whereas my test 
> setup is a single server. We now wish to point the php website at the 
> large tree so that vast numbers of employees can login using their 
> Novell credentials. The problem is that the credentials are spread over 
> a number of org/org units like this ...
> maintree
>     central (o)
>         binduser (cn)
>     suburbs (o)
>         footscray (ou)
>             users (cn)s
>         glenroy (ou)
>             moreusers (cn)
>         bayside (ou)
> ... and when I try to configure my own eDirectory in a similar 
> structure, the binduser cannot find credentials outside its own container.
> I can solve the problem by creating an alias object named identically 
> for the user in the other container but this is totally unwieldy from 
> the viewpoint of the sheer numbers of users. It would be awful to do 
> that if there was another way.
> Question
> Is there another way?
> Thanks
> Mike

More information about the python-ldap mailing list