Hello Howard,
There are two common operations on a group: list all the members, and see if user X is a member of a group. For the first case, just retrieve the group entry and look at its member attribute. For the second case, just do a Compare on the group and test the member attribute against the user's DN.
Ok, but :
Let say that I want to grant access to an application only for users of a specific group : what would be the filter to use ?
Anonther way to ask that is : what is the trick to retrieve posixAccount (or inetOrgPerson) objects that are member of a specific posixgroup (or groupofnames) ?
Aka : if posixgroup gogo is like this
# gogo, group, toto.fr dn: cn=gogo,ou=group,dc=toto,dc=fr objectClass: posixGroup gidNumber: 17000 cn: gogo memberUid: gui memberUid: lev
What is the filter to retreive exactly this :
# gui, staff, people, toto.fr dn: uid=gui,ou=staff,ou=people,dc=gui,dc=fr cn: gui lou givenName: Gui homeDirectory: /home/gui loginShell: /bin/tcsh objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount sn: Gui uid: gui uidNumber: 1041 userPassword:: e1AZE4N1k= gidNumber: 18004
# lev, staff, people, toto.fr dn: uid=lev,ou=staff,ou=people,dc=toto,dc=fr cn:Lev Luv givenName: Lev homeDirectory: /home/lev loginShell: /bin/bash objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount sn: Lev uid: lev uidNumber: 1041 userPassword:: eFjQVNCZEZzN1k= gidNumber: 18004
2012/1/20 Howard Chu hyc@symas.com:
Felipe Augusto van de Wiel wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hello,
On 19-01-2012 15:14, Howard Chu wrote:
Dunno. IMO most people using memberOf are misusing the data model anyway, so it's of little interest.
Out of curiosity (and because I do try to avoid misusing the data model), why in your opinion memberOf represents a misuse?
There are two common operations on a group: list all the members, and see if user X is a member of a group. For the first case, just retrieve the group entry and look at its member attribute. For the second case, just do a Compare on the group and test the member attribute against the user's DN.
Kind regards,
Felipe Augusto van de Wielfelipe.wiel@hpp.org.br Tecnologia da Informação (TI) - Complexo Pequeno Príncipe http://www.pequenoprincipe.org.br/ T: +55 41 3310 1747 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBCgAGBQJPGHjGAAoJECCPPxLgxLxPx0kP/A1vueiP4471kk8YrAv72wsQ 6L+++LZTPcNCkxBGbQK/cUnncV0S/h6wkSbHFMiZO1pfx8QWUITgw3L1hPSBxnGA stWvcrIf9MeoigqzQuPgDbQ/TppganSA0cGyGEM0a5H0+GxhqbwLMFa3MGw49DOD FElsd1muDo/uKKgAlGU27zNs9Oysi3ICw5CBIp9bLGcrKX0xpq3hjP4wyS0/hDRu euLFr+F7EYdvOQ16rzB3CQv6UWmDvYg76Km8VuzG+UEnR4DcNiAbNKR6Fm22kv/w O2ifUXdOnVLugiHekRF2VXYzYO3XNxg7wqORObhePRAsnobjE9p/lXEt+c7Pf938 WJBcHAa3NUS7JKQIK3TEC/iAfx+3/BHvDYXyoa57YK4MOdbv1GCgZLD8mTKSyATo r/CdxrfoVv8YI6D+Lo4x+0dGjwbXBeIP1ArWT4li23c8TTMi7H6NYPbRCBc0LvaQ 22ifiDfE9TxhonXwMgbG5ONybrWeX9/Os//ofJXqWY2qXP4p3H0ceALDBmAI6LpP NEvaGh1OA2hDEUq+XpFg9TJDN9+WXlZ3tz135H1WUHXyik8xzHZOSSFFWd/LhIcI 3pyo5T+0xjf+3dA4Gn31iGp8CxakTkkJpdeUiZ2mHwHHgTDU72y5p6DudycRq5uK 3cldhqzDAktL1JA1AIHK =gFGM -----END PGP SIGNATURE-----
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/