[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Searching for Group memberships of users

To: Michael Fuller / Railnet <fullerms@sr.railnet.gov.in>
Subject: Re: Searching for Group memberships of users
From: Tony Earnshaw <tonni@billy.demon.nl>
Date: 12 Sep 2002 09:23:24 +0200
Cc: openldap-software@OpenLDAP.org
In-reply-to: <005701c254b6$681653f0$be02050a@mt>
References: <005701c254b6$681653f0$be02050a@mt>

tor, 2002-09-05 kl. 10:29 skrev Michael Fuller / Railnet:

> I have a tricky problem. Given a user name, I need to search Openldap and
> find out that user's group membership. The intention is to use external ACLs
> in Squid 2.5 pre. Once the user logs on, I need to use his login name and
> check out the LDAP group he belongs to.

> On going through the LDAP directory, I find that the user does not have a
> group attribute, rather groups have a member attribute. If  I filter the
> search on objectclass=groupofnames, how to extract the user name from the
> member attribute and match it?

> Will someone please help me construct the appropriate search filter ?

Michael,

Dunno if this will help, but I use this kind of thing (is this what you
want? I don't know, so don't slay me) for my smtp server aliases instead
of /etc/aliases. I also use the same principle (other groups, other
filters) for local user alternative mail addresses and virtual domains.

1: Say you have a group "localmailgroup", objectClass nisMailAlias,
where the allowed attribute is rfc822MailMember (which I have).

you want to search for members, this filter works:
 
ldapsearch -x '(&(objectClass=nisMailAlias)(rfc822MailMember=*))'
returns a list of mail addresses. Searching on "rfc822MailMember=fred*"
etc. doesn't work and indexing "rfc822MailMember" isn't allowed.

2: I have a group of people who can manage limited attributes of other
people, "peoplemanagers". objectClass groupOfNames, member cn=Tom
Smith,ou=people,ou=groups,dc=billy,dc=demon,dc=nl, member cn=Eva Brown,
etc.

ldapsearch -x '(&(objectClass=groupOfNames)(cn=*))' returns a list of
members' DNs, so does searching on "member" instead of "cn". However, I
can't use wildcards and search on "cn=Tom*", even though I've indexed cn
(indexing on "member" isn't possible).

I use the "peoplemanagers" list just to check for authority in the acls
- and it works.

That's all I can say, I'm afraid!

Best,


-- 

Tony Earnshaw

Tha can allway tell a Yorkshireman, but tha canna tell 'im much.

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl
gpg public key:	http://www.billy.demon.nl/tonni.armor

Telefoon:	(+31) (0)172 530428
Mobiel:		(+31) (0)6 51153356

GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981
3BE7B981

Attachment: signature.asc
Description: Dette er en digitalt signert meldingsdel

Follow-Ups:
- Re: Searching for Group memberships of users
  - From: "Ace Suares" <ace@suares.com>

References:
- Searching for Group memberships of users
  - From: "Michael Fuller / Railnet" <fullerms@sr.railnet.gov.in>

Prev by Date: Re: DNSSRV (was: Splitting directory over backends)
Next by Date: segmentation fault
Index(es):
- Chronological
- Thread