Okay Guys!
I have solved this problem in the way below.
*I create a simple Python 2.7 script that stores each user's posixGroup associations in their pgMemberOf (memberOf) attribute. The purpose is to enable search filters like below...*
MODEL
ldapsearch -x -H 'ldap://127.0.0.1:389' -b 'ou=persons,dc=domain,dc=abc,dc=de' \ -D 'cn=admin,dc=domain,dc=abc,dc=de' \ -w 'mySecretValue' \
'(&(pgMemberOf=cn=certaingroup,ou=groups,dc=domain,dc=abc,dc=de)(uid=certainuid))'
EXAMPLE
ldapsearch -x -H '<OPENLDAP_URI>' -b '<PERSONS_OU>,<BASE_DN>' \ -D '<ADM_USER_DN>' \ -w '<ADM_USER_PASSWORD>' \
'(&(pgMemberOf=cn=<PSX_GROUP_CN>,<GROUPS_OU>,<BASE_DN)(uid=<PERSON_UID>))'
This script is useful for cases where we already have an OpenLDAP installed and we want to make filters available for Posix Groups that already exists in a very simple way and without creating new types of groups. Also useful when unable to install overlays or when this process is too laborious or risky.
*The project is in this repository:* https://github.com/eduardolucioac/psx-grp-flt
*Thanks! =D*
Em ter., 3 de ago. de 2021 às 13:34, Benjamin Renard < brenard@easter-eggs.com> escreveu:
Le 03/08/2021 à 17:52, Quanah Gibson-Mount a écrit :
--On Tuesday, August 3, 2021 4:42 PM +0200 Benjamin Renard brenard@easter-eggs.com wrote:
Hello,
Le 30/07/2021 à 18:37, Quanah Gibson-Mount a écrit :
You want OpenLDAP 2.5's version of dynlist.
Just be sure, could-you please resume me the benefits when using
OpenLDAP
2.5's version of dynlist overlay ? It's now possible to use "memberOf" (like) attributes in a filtering clause ?
You could just read the 2.5 man page.
<
https://www.openldap.org/software/man.cgi?query=slapo-dynlist&apropos=0&...
I tried, but it's quite difficult to extract the new features :) Moreover, the new configuration syntax of the dynlist-attrset directive is quite complicated to learn and interpret. I have a presentiment that it's really powerful, but it will take some tests to understand the subtleties and all the possibilities that this offers.
But yes, you can use the dynamically generated memberOf in ldap filters.
You may also want to look at the dynlist test script, from line 749 on.
<
https://git.openldap.org/openldap/openldap/-/blob/OPENLDAP_REL_ENG_2_5/tests...
I see and it's a great added !
Thank you,
-- Benjamin Renard - Easter-eggs 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37 - Fax: +33 (0) 1 43 35 00 76 mailto:brenard@easter-eggs.com - http://www.easter-eggs.com