9:30 a.m.
Is there a way to perform a single query an LDAP database such that I
can retrieve the group name (cn) from a user's full name (cn). My
structure holds user accounts in ou=People and groups in ou=Group. I
know I can ask for gidNumber from the People tree, then reference the
group in the Group tree, but with an SQL background, I would like a
single query.
Thanks,
--
Chuck Theobald
System Administrator
The Robert and Beverly Lewis Center for Neuroimaging
University of Oregon
P: 541-346-0343
F: 541-346-0345
11:59 p.m.
Chuck Theobald wrote:
Is there a way to perform a single query an LDAP database such that I
can
retrieve the group name (cn) from a user's full name (cn). My structure holds
user accounts in ou=People and groups in ou=Group. I know I can ask for
gidNumber from the People tree, then reference the group in the Group tree,
but with an SQL background, I would like a single query.
Not feasible in general. The LDAP functional model is much simpler than SQL.
Depending on the group schema used in your deployment you could configure the
server with slapo-memberof. Then slapd maintains a back-link to the group
entries from the member entry. By default it's attribute 'memberOf'
(configurable) and always contains the full DN of all group entries. This only
works if using RFC 2307bis style posixGroup entries with attribute 'member'
pointing to member entries (not 'memberUID').
If you have to provide also 'memberUID' group relation attribute to some
legacy clients you can define a hybrid groupOfNames/posixGroup object class
like described herein:
http://www.ietf.org/mail-archive/web/ldapext/current/msg02112.html
Ciao, Michael.
2:48 a.m.
On 29/04/2015 07:59, Michael Ströder wrote:
Chuck Theobald wrote:
> Is there a way to perform a single query an LDAP database such that I can
> retrieve the group name (cn) from a user's full name (cn). My structure holds
> user accounts in ou=People and groups in ou=Group. I know I can ask for
> gidNumber from the People tree, then reference the group in the Group tree,
> but with an SQL background, I would like a single query.
Not feasible in general. The LDAP functional model is much simpler than SQL.
Depending on the group schema used in your deployment you could configure the
server with slapo-memberof. Then slapd maintains a back-link to the group
entries from the member entry. By default it's attribute 'memberOf'
(configurable) and always contains the full DN of all group entries. This only
works if using RFC 2307bis style posixGroup entries with attribute 'member'
pointing to member entries (not 'memberUID').
I think what Chuck wants to do is dereference a user's primary group ID
from their gidNumber attribute to get the group name. The primary group
does not appear in the memberOf list with slapo-memberof as the user
won't be in the list of members for that group.
Only way is indeed to do two lookups: get the user's gidNumber, then the
group name associated with the gidNumber.
--
Liam Gretton liam.gretton(a)le.ac.uk
Systems Specialist http://www.le.ac.uk/its/
IT Services Tel: +44 (0)116 2522254
University Of Leicester, University Road
Leicestershire LE1 7RH, United Kingdom
3136
days inactive
3137
days old
openldap-technical@openldap.org
2 comments
3 participants
participants (3)
-
Chuck Theobald -
Liam Gretton -
Michael Ströder