On 05/10/2009 14:15, Remi Ferrand wrote:
Jonathan Clarke a écrit :
On 03/10/2009 01:21, Remi Ferrand wrote:
Hi,
I've the following configuration in my OpenLDAP :
dn: cn=stats.mysite.fr,ou=Group,dc=mysite,dc=fr 2. cn: stats.mysite.fr 3. objectClass: top 4. objectClass: groupOfNames 5. description: VirtualHost stats.mysite.fr 6. member: uid=user_authorized,ou=People,dc=mysite,dc=fr 7. member: uid=USER,ou=People,dc=mysite,dc=fr 8. 9. 10. dn: uid=USER,ou=People,dc=mysite,dc=fr 11. objectClass: top 12. objectClass: person 13. objectClass: inetOrgPerson 14. objectClass: organizationalPerson 15. objectClass: posixAccount 16. objectClass: shadowAccount 17. uid: USER 18. cn: USER P. 19. sn: USER P. 20. shadowMax: 99999 21. shadowWarning: 7 22. mail: USER@google.eu 23. loginShell: /bin/bash 24. uidNumber: 10007 25. gidNumber: 10007 26. homeDirectory: /home/ldap_users/USER 27. gecos: ,,,
and I'm wondering how to create a filter to match only members of a given Group in order to use it with Apache2 or others ...
The difficulty for me is to obtain the posixAccount object and not the Group one.
You can't return account objects from a search based on groups, whatever the filter. Not with one LDAP search, anyway.
Most LDAP clients can check whether an entry is a member of a group. Apache's LDAP auth[nz] module does it too, see: http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#reqgroup
Regards, Jonathan
Thanks Jonathan,
Too bad Dovecot is not able to check membership of a username ... My Apache2 configuration is already based on what you sent me and works very well ;)
I guess that my last possibility for this to work with Dovecot is to add a "member" field in every "objectClass= posixAccount" and to use a search filter as : (&(objectClass=posixAccount)(member=MY_GROUP_DN))
The "memberof" overlay included in OpenLDAP can do that automatically for you: see slapo-memberof(5).
Regards, Jonathan