Hello,
I am searching for a way to add an LDAP constraint on attributes which prevents setting specific values. For example, I want to prevent that the attribute "uid" is equal to (case insensitive) "foo" or "bar".
Using the manpage from https://linux.die.net/man/5/slapo-constraint it seems not possible, I tried a lot of things like:
constraint_attribute uid set "this/uid & ([foo])" constraint_attribute uid set "this/uid & [foo]" constraint_attribute uid uri ldap:///dc=school,dc=local?forbidden?sub?(objectClass=forbiddenUsernames) constraint_attribute uid regex ^[^f][^o][^o]*$
Even if they were working (they don't) I needed to reverse the whole constraint because this would only allow me to add a whitelist while I want to add a blacklist. (Best would be If I could just add a "!" before the attribute contsraint.)
I hope there is something which could help me.
Best regards Florian
Florian Best wrote:
I am searching for a way to add an LDAP constraint on attributes which prevents setting specific values. For example, I want to prevent that the attribute "uid" is equal to (case insensitive) "foo" or "bar".
If you have slapo-unique ensuring uniqueness for 'uid' you can simply use a black-list entry with all unwanted values listed in attribute 'uid'.
See example in Æ-DIR demo:
https://demo.ae-dir.com/web2ldap/read?ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi/c...
The advantage is that you can easily extend the list of unwanted values by adding more attribute values or even more separate black-list entries from different sources.
Ciao, Michael.
Hello Michael,
unfortunately we have multiple objects with the same "uid" attribute, so the uniqueness overlay module cannot be used.
Is there a different way using the constraints module?
Thanks, Florian
Am 27.07.2017 um 18:28 schrieb Michael Ströder:
Florian Best wrote:
I am searching for a way to add an LDAP constraint on attributes which prevents setting specific values. For example, I want to prevent that the attribute "uid" is equal to (case insensitive) "foo" or "bar".
If you have slapo-unique ensuring uniqueness for 'uid' you can simply use a black-list entry with all unwanted values listed in attribute 'uid'.
See example in Æ-DIR demo:
https://demo.ae-dir.com/web2ldap/read?ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi/c...
The advantage is that you can easily extend the list of unwanted values by adding more attribute values or even more separate black-list entries from different sources.
Ciao, Michael.
Florian Best wrote:
unfortunately we have multiple objects with the same "uid" attribute, so the uniqueness overlay module cannot be used.
Is there a different way using the constraints module?
Sure? Even with specifying the search base and a (negation!) filter in unique_uri?
Ciao, Michael.
Oh yes, If I only include the blacklisted uid's in the filter then it's possible. Thank you!
unique_uri ldap:///dc=base?uid?sub?(|(uid=root)(uid=www-data)
Am 02.08.2017 um 19:19 schrieb Michael Ströder:
Florian Best wrote:
unfortunately we have multiple objects with the same "uid" attribute, so the uniqueness overlay module cannot be used.
Is there a different way using the constraints module?
Sure? Even with specifying the search base and a (negation!) filter in unique_uri?
Ciao, Michael.
Florian Best wrote:
Oh yes, If I only include the blacklisted uid's in the filter then it's possible. Thank you!
unique_uri ldap:///dc=base?uid?sub?(|(uid=root)(uid=www-data)
Note that the filter part might not always work:
https://www.openldap.org/its/index.cgi?findid=6825
https://www.openldap.org/its/index.cgi?findid=6917
Ciao, Michael.
Michael Ströder wrote:
Florian Best wrote:
Oh yes, If I only include the blacklisted uid's in the filter then it's possible. Thank you!
unique_uri ldap:///dc=base?uid?sub?(|(uid=root)(uid=www-data)
Note that the filter part might not always work:
And btw I meant something else:
Assuming you're using two different entry object classes 'account' and 'inetOrgPerson' with attribute 'uid' then you could define two different unique constraints (with two different black-list entries):
unique_uri ldap:///dc=base?uid?sub?(objectClass=inetOrgPerson)
unique_uri ldap:///dc=base?uid?sub?(objectClass=account)
In my setup this only works when using negation filters (!(…)) though.
Ciao, Michael.
openldap-technical@openldap.org
-
Florian Best -
Michael Ströder