Okay Guys!

I have solved this problem in the way below.

I create a simple Python 2.7 script that stores each user's posixGroup associations in their pgMemberOf (memberOf) attribute. The purpose is to enable search filters like below...

MODEL

ldapsearch -x -H 'ldap://127.0.0.1:389' -b 'ou=persons,dc=domain,dc=abc,dc=de' \
    -D 'cn=admin,dc=domain,dc=abc,dc=de' \
    -w 'mySecretValue' \
    '(&(pgMemberOf=cn=certaingroup,ou=groups,dc=domain,dc=abc,dc=de)(uid=certainuid))'

EXAMPLE

ldapsearch -x -H '<OPENLDAP_URI>' -b '<PERSONS_OU>,<BASE_DN>' \
    -D '<ADM_USER_DN>' \
    -w '<ADM_USER_PASSWORD>' \
    '(&(pgMemberOf=cn=<PSX_GROUP_CN>,<GROUPS_OU>,<BASE_DN)(uid=<PERSON_UID>))'

This script is useful for cases where we already have an OpenLDAP installed and we want to make filters available for Posix Groups that already exists in a very simple way and without creating new types of groups. Also useful when unable to install overlays or when this process is too laborious or risky.

The project is in this repository: https://github.com/eduardolucioac/psx-grp-flt

Thanks! =D


Em ter., 3 de ago. de 2021 às 13:34, Benjamin Renard <brenard@easter-eggs.com> escreveu:


Le 03/08/2021 à 17:52, Quanah Gibson-Mount a écrit :
>
>
> --On Tuesday, August 3, 2021 4:42 PM +0200 Benjamin Renard
> <brenard@easter-eggs.com> wrote:
>
>> Hello,
>>
>> Le 30/07/2021 à 18:37, Quanah Gibson-Mount a écrit :
>>> You want OpenLDAP 2.5's version of dynlist.
>> Just be sure, could-you please resume me the benefits when using OpenLDAP
>> 2.5's version of dynlist overlay ? It's now possible to use "memberOf"
>> (like) attributes in a filtering clause ?
>
> You could just read the 2.5 man page.
>
> <https://www.openldap.org/software/man.cgi?query=slapo-dynlist&apropos=0&sektion=0&manpath=OpenLDAP+2.5-Release&arch=default&format=html>
I tried, but it's quite difficult to extract the new features :)
Moreover, the new configuration syntax of the dynlist-attrset directive
is quite complicated to learn and interpret. I have a presentiment that
it's really powerful, but it will take some tests to understand the
subtleties and all the possibilities that this offers.

> But yes, you can use the dynamically generated memberOf in ldap filters.
>
> You may also want to look at the dynlist test script, from line 749 on.
>
> <https://git.openldap.org/openldap/openldap/-/blob/OPENLDAP_REL_ENG_2_5/tests/scripts/test044-dynlist#L749>
I see and it's a great added !

Thank you,

--
Benjamin Renard                  -                   Easter-eggs
44-46 rue de l'Ouest  -  75014 Paris   -   France -  Métro Gaité
Phone: +33 (0) 1 43 35 00 37     -    Fax: +33 (0) 1 43 35 00 76
mailto:brenard@easter-eggs.com   -    http://www.easter-eggs.com


--

Eduardo Lúcio

Tecnologia, Desenvolvimento e Software Livre

LightBase Consultoria em Software Público

eduardo.lucio@lightbase.com.br

+55-61-3347-1949 - http://brlight.org - Brasil-DF


Software livre! Abrace essa idéia! 

"Aqueles que negam liberdade aos outros não a merecem para si mesmos."

Abraham Lincoln