Hi... guys
i have a LDAP server and its has a group called .
cn=internal ou=group,dc=example,dc=com
--users of this group is :
uid=user1,ou=user,dc=example,dc=com uid=user2,ou=user,dc=example,dc=com
i need to only to authenticate the users under cn=internal ....
LDAP search for the cn=internal group as follows ,
dn: cn=internal,ou=group,dc=example,dc=com objectClass: groupOfNames objectClass: top cn: internal member: uid=user1,ou=user,dc=example,dc=com member: uid=user2,ou=user,dc=example,dc=com
member: uid=user3,ou=user,dc=example,dc=com
member: uid=user4,ou=user,dc=example,dc=com
by the way All the users are stored at base OU=user,DC=example,DC=com
This is what we are using
(&(objectClass=groupOfNames)(memberOf=CN=internal,OU=group,DC=example,DC=com))
seems like its not working ..
what the LDAP search filter i need to use to get only the members of the cn=internal group authenticated...
Thanks
On Mon, May 14, 2012 at 08:06:41PM +0530, dhanushka ranasinghe wrote:
i have a LDAP server and its has a group called .
cn=internal ou=group,dc=example,dc=com
--users of this group is :
uid=user1,ou=user,dc=example,dc=com uid=user2,ou=user,dc=example,dc=com
i need to only to authenticate the users under cn=internal ....
I assume you mean "I only want to allow users of this group to access some resource"
This is what we are using
(&(objectClass=groupOfNames)(memberOf=CN=internal,OU=group,DC=example,DC=com))
seems like its not working ..
what the LDAP search filter i need to use to get only the members of the cn= internal group authenticated...
I think it would be best to use several LDAP operations rather than trying to do everything in one go. For example:
1) Search for user: base: ou=user,dc=example,dc=com filter: (&(objectclass=account)(uid=<username>)) If the user exists, note the DN of the entry found.
2) Authenticate user: Bind as the user DN using the user-supplied password If this fails, deny access.
3) Re-bind as a system user (or anon if that has enough access)
4) Check authorisation: Search base: CN=internal,OU=group,DC=example,DC=com Search scope: base Filter: (member=<user DN>) Return attributes: cn If this returns an entry then the user is in the authorisation group and should be allowed to use the resource. Otherwise, deny access.
Andrew
Hi guys...
Thanks for the reply ,
i tried many ldap filters according to the suggestion made by andrew..but i unable to get it work.. any idea how write such a filter.
Thank You
On 15 May 2012 03:03, Andrew Findlay andrew.findlay@skills-1st.co.ukwrote:
On Mon, May 14, 2012 at 08:06:41PM +0530, dhanushka ranasinghe wrote:
i have a LDAP server and its has a group called .
cn=internal ou=group,dc=example,dc=com
--users of this group is :
uid=user1,ou=user,dc=example,dc=com uid=user2,ou=user,dc=example,dc=com
i need to only to authenticate the users under cn=internal ....
I assume you mean "I only want to allow users of this group to access some resource"
This is what we are using
(&(objectClass=groupOfNames)(memberOf=CN=internal,OU=group,DC=example,DC=com))
seems like its not working ..
what the LDAP search filter i need to use to get only the members of the
cn=
internal group authenticated...
I think it would be best to use several LDAP operations rather than trying to do everything in one go. For example:
Search for user: base: ou=user,dc=example,dc=com filter: (&(objectclass=account)(uid=<username>)) If the user exists, note the DN of the entry found.Authenticate user: Bind as the user DN using the user-supplied password If this fails, deny access.Re-bind as a system user (or anon if that has enough access)Check authorisation: Search base: CN=internal,OU=group,DC=example,DC=com Search scope: base Filter: (member=<user DN>) Return attributes: cn If this returns an entry then the user is in the authorisation group and should be allowed to use the resource. Otherwise, deny access.Andrew
| From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 |
dhanushka ranasinghe wrote:
Hi guys...
Thanks for the reply ,
i tried many ldap filters according to the suggestion made by andrew..but i unable to get it work.. any idea how write such a filter.
Thank You
On 15 May 2012 03:03, Andrew Findlay <andrew.findlay@skills-1st.co.uk mailto:andrew.findlay@skills-1st.co.uk> wrote:
On Mon, May 14, 2012 at 08:06:41PM +0530, dhanushka ranasinghe wrote: > i have a LDAP server and its has a group called . > > cn=internal ou=group,dc=example,dc=com > > --users of this group is : > > uid=user1,ou=user,dc=example,dc=com > uid=user2,ou=user,dc=example,dc=com > i need to only to authenticate the users under cn=internal .... I assume you mean "I only want to allow users of this group to access some resource" > This is what we are using > > (&(objectClass=groupOfNames)(memberOf=CN=internal,OU=group,DC=example,DC=com)) > > seems like its not working .. > > what the LDAP search filter i need to use to get only the members of the cn= > internal group authenticated... I think it would be best to use several LDAP operations rather than trying to do everything in one go. For example: 1) Search for user: base: ou=user,dc=example,dc=com filter: (&(objectclass=account)(uid=<username>)) If the user exists, note the DN of the entry found. 2) Authenticate user: Bind as the user DN using the user-supplied password If this fails, deny access. 3) Re-bind as a system user (or anon if that has enough access) 4) Check authorisation: Search base: CN=internal,OU=group,DC=example,DC=com Search scope: base Filter: (member=<user DN>) Return attributes: cn If this returns an entry then the user is in the authorisation group and should be allowed to use the resource. Otherwise, deny access.
Step 4 should just be an LDAP Compare operation.
On Mon, Jun 25, 2012 at 09:17:28AM +0530, dhanushka ranasinghe wrote:
i tried many ldap filters according to the suggestion made by andrew..but i unable to get it work.. any idea how write such a filter.
You will have to post more detail and ask clearer questions if you want to get help from a mailing list like this.
To start with, I suggest you post an LDIF file containing all the entries involved in your tests. You should then describe what you want to do, and post some example searches showing what you have tried so far.
Andrew
openldap-technical@openldap.org
-
Andrew Findlay -
dhanushka ranasinghe -
Howard Chu