According to this post http://blog.oddbit.com/post/2013-07-22-generating-a-membero/ it is possible to use a strategy for generating a memberOf attribute for posixGroups (dynlist module).
This need arose for a legacy OpenLDAP LDAP and with several applications using it.
So, this seems to me the best solution to be able to use the memberOf as a filter.
NOTE: Complete information about the problem here https://stackoverflow.com/questions/68583838/ldap-add-a-filter-to-an-ldap-ur... ).
*QUESTION:* Has anyone tested/used the procedure in the post http://blog.oddbit.com/post/2013-07-22-generating-a-membero/ ? Ie, generating a memberOf attribute for posixGroups (dynlist module)?
What I have for group OU and user OU is what goes below...
*GROUP*
``` cn: accessgroup
gidNumber: 1004
memberUid: usera userb userc userd usere userf userg userh useri
objectClass: top posixGroup ```
*USERS*
``` cn: User Letter A
gecos: User Letter A
gender: M
gidNumber: 544
givenName: User
gotoLastSystemLogin: 01.01.1970 00:00:00
homeDirectory: /home/usera
loginShell: /bin/bash
mail: user.letter.a@domain.abc.de
objectClass: top person organizationalPerson inetOrgPerson gosaAccount posixAccount shadowAccount sambaSamAccount
[...]
uid: usera
uidNumber: 1004
[...] ```
*Thanks! =D*
--On Friday, July 30, 2021 2:30 PM -0300 Eduardo Lúcio Amorim Costa eduardolucioac@gmail.com wrote:
According to this post http://blog.oddbit.com/post/2013-07-22-generating-a-membero/ it is possible to use a strategy for generating a memberOf attribute for posixGroups (dynlist module).
This need arose for a legacy OpenLDAP LDAP and with several applications using it.
So, this seems to me the best solution to be able to use the memberOf as a filter.
You want OpenLDAP 2.5's version of dynlist.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Hello,
Le 30/07/2021 à 18:37, Quanah Gibson-Mount a écrit :
You want OpenLDAP 2.5's version of dynlist.
Just be sure, could-you please resume me the benefits when using OpenLDAP 2.5's version of dynlist overlay ? It's now possible to use "memberOf" (like) attributes in a filtering clause ?
Regards,
--On Tuesday, August 3, 2021 4:42 PM +0200 Benjamin Renard brenard@easter-eggs.com wrote:
Hello,
Le 30/07/2021 à 18:37, Quanah Gibson-Mount a écrit :
You want OpenLDAP 2.5's version of dynlist.
Just be sure, could-you please resume me the benefits when using OpenLDAP 2.5's version of dynlist overlay ? It's now possible to use "memberOf" (like) attributes in a filtering clause ?
You could just read the 2.5 man page.
But yes, you can use the dynamically generated memberOf in ldap filters.
You may also want to look at the dynlist test script, from line 749 on.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Le 03/08/2021 à 17:52, Quanah Gibson-Mount a écrit :
--On Tuesday, August 3, 2021 4:42 PM +0200 Benjamin Renard brenard@easter-eggs.com wrote:
Hello,
Le 30/07/2021 à 18:37, Quanah Gibson-Mount a écrit :
You want OpenLDAP 2.5's version of dynlist.
Just be sure, could-you please resume me the benefits when using OpenLDAP 2.5's version of dynlist overlay ? It's now possible to use "memberOf" (like) attributes in a filtering clause ?
You could just read the 2.5 man page.
I tried, but it's quite difficult to extract the new features :) Moreover, the new configuration syntax of the dynlist-attrset directive is quite complicated to learn and interpret. I have a presentiment that it's really powerful, but it will take some tests to understand the subtleties and all the possibilities that this offers.
But yes, you can use the dynamically generated memberOf in ldap filters.
You may also want to look at the dynlist test script, from line 749 on.
I see and it's a great added !
Thank you,
Okay Guys!
I have solved this problem in the way below.
*I create a simple Python 2.7 script that stores each user's posixGroup associations in their pgMemberOf (memberOf) attribute. The purpose is to enable search filters like below...*
MODEL
ldapsearch -x -H 'ldap://127.0.0.1:389' -b 'ou=persons,dc=domain,dc=abc,dc=de' \ -D 'cn=admin,dc=domain,dc=abc,dc=de' \ -w 'mySecretValue' \
'(&(pgMemberOf=cn=certaingroup,ou=groups,dc=domain,dc=abc,dc=de)(uid=certainuid))'
EXAMPLE
ldapsearch -x -H '<OPENLDAP_URI>' -b '<PERSONS_OU>,<BASE_DN>' \ -D '<ADM_USER_DN>' \ -w '<ADM_USER_PASSWORD>' \
'(&(pgMemberOf=cn=<PSX_GROUP_CN>,<GROUPS_OU>,<BASE_DN)(uid=<PERSON_UID>))'
This script is useful for cases where we already have an OpenLDAP installed and we want to make filters available for Posix Groups that already exists in a very simple way and without creating new types of groups. Also useful when unable to install overlays or when this process is too laborious or risky.
*The project is in this repository:* https://github.com/eduardolucioac/psx-grp-flt
*Thanks! =D*
Em ter., 3 de ago. de 2021 às 13:34, Benjamin Renard < brenard@easter-eggs.com> escreveu:
Le 03/08/2021 à 17:52, Quanah Gibson-Mount a écrit :
--On Tuesday, August 3, 2021 4:42 PM +0200 Benjamin Renard brenard@easter-eggs.com wrote:
Hello,
Le 30/07/2021 à 18:37, Quanah Gibson-Mount a écrit :
You want OpenLDAP 2.5's version of dynlist.
Just be sure, could-you please resume me the benefits when using
OpenLDAP
2.5's version of dynlist overlay ? It's now possible to use "memberOf" (like) attributes in a filtering clause ?
You could just read the 2.5 man page.
<
https://www.openldap.org/software/man.cgi?query=slapo-dynlist&apropos=0&...
I tried, but it's quite difficult to extract the new features :) Moreover, the new configuration syntax of the dynlist-attrset directive is quite complicated to learn and interpret. I have a presentiment that it's really powerful, but it will take some tests to understand the subtleties and all the possibilities that this offers.
But yes, you can use the dynamically generated memberOf in ldap filters.
You may also want to look at the dynlist test script, from line 749 on.
<
https://git.openldap.org/openldap/openldap/-/blob/OPENLDAP_REL_ENG_2_5/tests...
I see and it's a great added !
Thank you,
-- Benjamin Renard - Easter-eggs 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37 - Fax: +33 (0) 1 43 35 00 76 mailto:brenard@easter-eggs.com - http://www.easter-eggs.com
openldap-technical@openldap.org