Hello. I have LDAP groups which keep users inside. Here an example of group:
# developer, roles, domain.com dn: cn=developer,ou=roles,dc=domain,dc=com objectClass: organizationalRole cn: developer roleOccupant: uid=user1,ou=people,dc=domain,dc=com roleOccupant: uid=user2,ou=people,dc=domain,dc=com
I need to make a search filter, which can say, if certain user belong to group? Or does certain group have a user?
Next filter give all uids of group developer:
openldapsearch -v -H ldaps://<ldap_host> -x -b 'dc=domain,dc=com' -W -D "cn=vmail,ou=services,dc=domain,dc=com" '(&(objectClass=organizationalRole)(cn=developer))' RoleOccupant
When I try to add 'uid' to filter it doesn't return any records:
'(&(objectClass=organizationalRole)(cn=developer)(uid=user1,ou=people,dc=domain,dc=com))' RoleOccupant '(&(objectClass=organizationalRole)(cn=developer)(uid=user1,ou=people,dc=domain,dc=com))' '(&(objectClass=organizationalRole)(cn=developer)(uid=user1*))' RoleOccupant
How I can change filter, that check if user1 belong to group developer?
Le 06/03/2023 à 16:13, forumforeign a écrit :
'(&(objectClass=organizationalRole)(cn=developer)(uid=user1,ou=people,dc=domain,dc=com))' RoleOccupant '(&(objectClass=organizationalRole)(cn=developer)(uid=user1,ou=people,dc=domain,dc=com))'
'(&(objectClass=organizationalRole)(cn=developer)(uid=user1*))' RoleOccupant
How I can change filter, that check if user1 belong to group developer?
Use '(&(objectClass=organizationalRole)(cn=developer)(roleOccupant=user1,ou=people,dc=domain,dc=com))' , it will return one entry if user is member of the group"cn=developer", and no entry else.
06.03.23 19:14, Clément OUDOT пише:
Le 06/03/2023 à 16:13, forumforeign a écrit :
'(&(objectClass=organizationalRole)(cn=developer)(uid=user1,ou=people,dc=domain,dc=com))' RoleOccupant '(&(objectClass=organizationalRole)(cn=developer)(uid=user1,ou=people,dc=domain,dc=com))'
'(&(objectClass=organizationalRole)(cn=developer)(uid=user1*))' RoleOccupant
How I can change filter, that check if user1 belong to group developer?
Use '(&(objectClass=organizationalRole)(cn=developer)(roleOccupant=user1,ou=people,dc=domain,dc=com))' , it will return one entry if user is member of the group"cn=developer", and no entry else.
Unfortunately it also doesn't work:
$ openldapsearch -v -H ldaps://<ldap_host> -x -b 'dc=domain,dc=com' -W -D "cn=vmail,ou=services,dc=domain,dc=com" '(&(objectClass=organizationalRole)(cn=developer)(roleOccupant=user1,ou=people,dc=domain,dc=com))' RoleOccupant Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=domain,dc=com> with scope subtree # filter: (&(objectClass=organizationalRole)(cn=developer)(roleOccupant=user1,ou=people,dc=domain,dc=com)) # requesting: RoleOccupant #
# search result search: 2 result: 0 Success
# numResponses: 1
Also, I have tried (without RoleOccupant at the end)
$ openldapsearch -v -H ldaps://<ldap_host> -x -b 'dc=domain,dc=com' -W -D "cn=vmail,ou=services,dc=domain,dc=com" '(&(objectClass=organizationalRole)(cn=developer)(roleOccupant=user1,ou=people,dc=domain,dc=com))'
Le 07/03/2023 à 06:58, forumforeign a écrit :
06.03.23 19:14, Clément OUDOT пише:
Le 06/03/2023 à 16:13, forumforeign a écrit :
'(&(objectClass=organizationalRole)(cn=developer)(uid=user1,ou=people,dc=domain,dc=com))' RoleOccupant '(&(objectClass=organizationalRole)(cn=developer)(uid=user1,ou=people,dc=domain,dc=com))'
'(&(objectClass=organizationalRole)(cn=developer)(uid=user1*))' RoleOccupant
How I can change filter, that check if user1 belong to group developer?
Use '(&(objectClass=organizationalRole)(cn=developer)(roleOccupant=user1,ou=people,dc=domain,dc=com))' , it will return one entry if user is member of the group"cn=developer", and no entry else.
Unfortunately it also doesn't work:
$ openldapsearch -v -H ldaps://<ldap_host> -x -b 'dc=domain,dc=com' -W -D "cn=vmail,ou=services,dc=domain,dc=com" '(&(objectClass=organizationalRole)(cn=developer)(roleOccupant=user1,ou=people,dc=domain,dc=com))' RoleOccupant Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=domain,dc=com> with scope subtree # filter: (&(objectClass=organizationalRole)(cn=developer)(roleOccupant=user1,ou=people,dc=domain,dc=com)) # requesting: RoleOccupant #
# search result search: 2 result: 0 Success
# numResponses: 1
Also, I have tried (without RoleOccupant at the end)
$ openldapsearch -v -H ldaps://<ldap_host> -x -b 'dc=domain,dc=com' -W -D "cn=vmail,ou=services,dc=domain,dc=com" '(&(objectClass=organizationalRole)(cn=developer)(roleOccupant=user1,ou=people,dc=domain,dc=com))'
There was a typo in the filter, the attribute of the RDN was missing :
'(&(objectClass=organizationalRole)(cn=developer)(roleOccupant=uid=user1,ou=people,dc=domain,dc=com))'
07.03.23 21:50, Clément OUDOT пише:
Le 07/03/2023 à 06:58, forumforeign a écrit :
06.03.23 19:14, Clément OUDOT пише:
Le 06/03/2023 à 16:13, forumforeign a écrit :
'(&(objectClass=organizationalRole)(cn=developer)(uid=user1,ou=people,dc=domain,dc=com))' RoleOccupant '(&(objectClass=organizationalRole)(cn=developer)(uid=user1,ou=people,dc=domain,dc=com))'
'(&(objectClass=organizationalRole)(cn=developer)(uid=user1*))' RoleOccupant
How I can change filter, that check if user1 belong to group developer?
Use '(&(objectClass=organizationalRole)(cn=developer)(roleOccupant=user1,ou=people,dc=domain,dc=com))' , it will return one entry if user is member of the group"cn=developer", and no entry else.
Unfortunately it also doesn't work:
$ openldapsearch -v -H ldaps://<ldap_host> -x -b 'dc=domain,dc=com' -W -D "cn=vmail,ou=services,dc=domain,dc=com" '(&(objectClass=organizationalRole)(cn=developer)(roleOccupant=user1,ou=people,dc=domain,dc=com))' RoleOccupant Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=domain,dc=com> with scope subtree # filter: (&(objectClass=organizationalRole)(cn=developer)(roleOccupant=user1,ou=people,dc=domain,dc=com)) # requesting: RoleOccupant #
# search result search: 2 result: 0 Success
# numResponses: 1
Also, I have tried (without RoleOccupant at the end)
$ openldapsearch -v -H ldaps://<ldap_host> -x -b 'dc=domain,dc=com' -W -D "cn=vmail,ou=services,dc=domain,dc=com" '(&(objectClass=organizationalRole)(cn=developer)(roleOccupant=user1,ou=people,dc=domain,dc=com))'
There was a typo in the filter, the attribute of the RDN was missing :
'(&(objectClass=organizationalRole)(cn=developer)(roleOccupant=uid=user1,ou=people,dc=domain,dc=com))'
Thank you! It works.
--On Monday, March 6, 2023 5:13 PM +0200 forumforeign forumforeign@gmail.com wrote:
Hello. I have LDAP groups which keep users inside. Here an example of group:
A few things:
a) I'd suggest using 'member' to define group memberships and using the 'groupOfMembers' objectClass from rfc2307bis
b) If you want to know if someone is belongs to a specific group, you may want to look at the dynlist overlay with support for dyanmically populating the 'memberOf' attribute on a user entry. (OpenLDAP 2.5+)
Regards, Quanah
openldap-technical@openldap.org
-
Clément OUDOT -
forumforeign -
Quanah Gibson-Mount