We are implementing a 3rd party application that can use eDir/LDAP for
authentication, but our challenge is around limiting what users can
access the app.

We can simply set the search base for the app to where our users are,
but then anyone has the capability to use the tool (something which is
strictly against the requirements because of licensing, etc.). Not all
users would use the tool, and they cross organizational boundaries
(associates, vendors, contractors) so nothing obvious sets them apart
(see below: the tool can't differentiate anyway - it's the whole OU or

We're restricted for many reasons that our OU structure cannot change,
we obviously don't want second or generic accounts, and while we would
prefer not to add more custom attributes (to the many we already have)
specifically for this app to use, it cannot leverage them. We could
front it with Access Manager and require those attributes for
authentication, but non-web clients will use the tool.

What I'm considering is perhaps setting up aliases for the users in an
OU specific to the app, and limiting the app to that searchbase. The
second part would entail perhaps an IdM driver that would take a nrfRole
membership (we use RBPM) and based on that create the alias.

Any ideas or thoughts?
Thank you in advance.

tsherwin's Profile: http://forums.novell.com/member.php?userid=38667
View this thread: http://forums.novell.com/showthread.php?t=449547