dhanushka ranasinghe wrote:
Hi guys...
Thanks for the reply ,
i tried many ldap filters according to the suggestion made by andrew..but i unable to get it work.. any idea how write such a filter.
Thank You
On 15 May 2012 03:03, Andrew Findlay <andrew.findlay@skills-1st.co.uk mailto:andrew.findlay@skills-1st.co.uk> wrote:
On Mon, May 14, 2012 at 08:06:41PM +0530, dhanushka ranasinghe wrote: > i have a LDAP server and its has a group called . > > cn=internal ou=group,dc=example,dc=com > > --users of this group is : > > uid=user1,ou=user,dc=example,dc=com > uid=user2,ou=user,dc=example,dc=com > i need to only to authenticate the users under cn=internal .... I assume you mean "I only want to allow users of this group to access some resource" > This is what we are using > > (&(objectClass=groupOfNames)(memberOf=CN=internal,OU=group,DC=example,DC=com)) > > seems like its not working .. > > what the LDAP search filter i need to use to get only the members of the cn= > internal group authenticated... I think it would be best to use several LDAP operations rather than trying to do everything in one go. For example: 1) Search for user: base: ou=user,dc=example,dc=com filter: (&(objectclass=account)(uid=<username>)) If the user exists, note the DN of the entry found. 2) Authenticate user: Bind as the user DN using the user-supplied password If this fails, deny access. 3) Re-bind as a system user (or anon if that has enough access) 4) Check authorisation: Search base: CN=internal,OU=group,DC=example,DC=com Search scope: base Filter: (member=<user DN>) Return attributes: cn If this returns an entry then the user is in the authorisation group and should be allowed to use the resource. Otherwise, deny access.
Step 4 should just be an LDAP Compare operation.