Is there a way to perform a single query an LDAP database such that I can retrieve the group name (cn) from a user's full name (cn). My structure holds user accounts in ou=People and groups in ou=Group. I know I can ask for gidNumber from the People tree, then reference the group in the Group tree, but with an SQL background, I would like a single query.
Thanks,
Chuck Theobald wrote:
Is there a way to perform a single query an LDAP database such that I can retrieve the group name (cn) from a user's full name (cn). My structure holds user accounts in ou=People and groups in ou=Group. I know I can ask for gidNumber from the People tree, then reference the group in the Group tree, but with an SQL background, I would like a single query.
Not feasible in general. The LDAP functional model is much simpler than SQL.
Depending on the group schema used in your deployment you could configure the server with slapo-memberof. Then slapd maintains a back-link to the group entries from the member entry. By default it's attribute 'memberOf' (configurable) and always contains the full DN of all group entries. This only works if using RFC 2307bis style posixGroup entries with attribute 'member' pointing to member entries (not 'memberUID').
If you have to provide also 'memberUID' group relation attribute to some legacy clients you can define a hybrid groupOfNames/posixGroup object class like described herein:
http://www.ietf.org/mail-archive/web/ldapext/current/msg02112.html
Ciao, Michael.
On 29/04/2015 07:59, Michael Ströder wrote:
Chuck Theobald wrote:
Is there a way to perform a single query an LDAP database such that I can retrieve the group name (cn) from a user's full name (cn). My structure holds user accounts in ou=People and groups in ou=Group. I know I can ask for gidNumber from the People tree, then reference the group in the Group tree, but with an SQL background, I would like a single query.
Not feasible in general. The LDAP functional model is much simpler than SQL.
Depending on the group schema used in your deployment you could configure the server with slapo-memberof. Then slapd maintains a back-link to the group entries from the member entry. By default it's attribute 'memberOf' (configurable) and always contains the full DN of all group entries. This only works if using RFC 2307bis style posixGroup entries with attribute 'member' pointing to member entries (not 'memberUID').
I think what Chuck wants to do is dereference a user's primary group ID from their gidNumber attribute to get the group name. The primary group does not appear in the memberOf list with slapo-memberof as the user won't be in the list of members for that group.
Only way is indeed to do two lookups: get the user's gidNumber, then the group name associated with the gidNumber.
openldap-technical@openldap.org
-
Chuck Theobald -
Liam Gretton -
Michael Ströder