Olivier wrote:
Hello Howard,
There are two common operations on a group: list all the members, and see if user X is a member of a group. For the first case, just retrieve the group entry and look at its member attribute. For the second case, just do a Compare on the group and test the member attribute against the user's DN.
Ok, but :
Let say that I want to grant access to an application only for users of a specific group : what would be the filter to use ?
There is no filter. You simply set a slapd ACL granting access to the group. Read the slapd.access(5) manpage, or the Admin Guide, or the FAQ.
Anonther way to ask that is : what is the trick to retrieve posixAccount (or inetOrgPerson) objects that are member of a specific posixgroup (or groupofnames) ?
I don't see why any application needs to do this.
Aka : if posixgroup gogo is like this
# gogo, group, toto.fr dn: cn=gogo,ou=group,dc=toto,dc=fr objectClass: posixGroup gidNumber: 17000 cn: gogo memberUid: gui memberUid: lev
What is the filter to retreive exactly this :
# gui, staff, people, toto.fr dn: uid=gui,ou=staff,ou=people,dc=gui,dc=fr cn: gui lou givenName: Gui homeDirectory: /home/gui loginShell: /bin/tcsh objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount sn: Gui uid: gui uidNumber: 1041 userPassword:: e1AZE4N1k= gidNumber: 18004
# lev, staff, people, toto.fr dn: uid=lev,ou=staff,ou=people,dc=toto,dc=fr cn:Lev Luv givenName: Lev homeDirectory: /home/lev loginShell: /bin/bash objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount sn: Lev uid: lev uidNumber: 1041 userPassword:: eFjQVNCZEZzN1k= gidNumber: 18004
2012/1/20 Howard Chuhyc@symas.com:
Felipe Augusto van de Wiel wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hello,
On 19-01-2012 15:14, Howard Chu wrote:
Dunno. IMO most people using memberOf are misusing the data model anyway, so it's of little interest.
Out of curiosity (and because I do try to avoid misusing the data model), why in your opinion memberOf represents a misuse?
There are two common operations on a group: list all the members, and see if user X is a member of a group. For the first case, just retrieve the group entry and look at its member attribute. For the second case, just do a Compare on the group and test the member attribute against the user's DN.