On Mon, May 14, 2012 at 08:06:41PM +0530, dhanushka ranasinghe wrote:
i have a LDAP server and its has a group called .
cn=internal ou=group,dc=example,dc=com
--users of this group is :
uid=user1,ou=user,dc=example,dc=com uid=user2,ou=user,dc=example,dc=com
i need to only to authenticate the users under cn=internal ....
I assume you mean "I only want to allow users of this group to access some resource"
This is what we are using
(&(objectClass=groupOfNames)(memberOf=CN=internal,OU=group,DC=example,DC=com))
seems like its not working ..
what the LDAP search filter i need to use to get only the members of the cn= internal groupĀ authenticated...
I think it would be best to use several LDAP operations rather than trying to do everything in one go. For example:
1) Search for user: base: ou=user,dc=example,dc=com filter: (&(objectclass=account)(uid=<username>)) If the user exists, note the DN of the entry found.
2) Authenticate user: Bind as the user DN using the user-supplied password If this fails, deny access.
3) Re-bind as a system user (or anon if that has enough access)
4) Check authorisation: Search base: CN=internal,OU=group,DC=example,DC=com Search scope: base Filter: (member=<user DN>) Return attributes: cn If this returns an entry then the user is in the authorisation group and should be allowed to use the resource. Otherwise, deny access.
Andrew