Re: Search Filter ...

[Jonathan Clarke <jonathan@phillipoux.net>]

On 03/10/2009 01:21, Remi Ferrand wrote:
> Hi,
>
> I've the following configuration in my OpenLDAP :
>
> 1.
> dn: cn=stats.mysite.fr,ou=Group,dc=mysite,dc=fr
> 2.
> cn: stats.mysite.fr
> 3.
> objectClass: top
> 4.
> objectClass: groupOfNames
> 5.
> description: VirtualHost stats.mysite.fr
> 6.
> member: uid=user_authorized,ou=People,dc=mysite,dc=fr
> 7. member: uid=USER,ou=People,dc=mysite,dc=fr
> 8.
> 9.
> 10.
> dn: uid=USER,ou=People,dc=mysite,dc=fr
> 11.
> objectClass: top
> 12.
> objectClass: person
> 13.
> objectClass: inetOrgPerson
> 14.
> objectClass: organizationalPerson
> 15.
> objectClass: posixAccount
> 16.
> objectClass: shadowAccount
> 17.
> uid: USER
> 18.
> cn: USER P.
> 19.
> sn: USER P.
> 20.
> shadowMax: 99999
> 21.
> shadowWarning: 7
> 22.
> mail: USER@google.eu
> 23.
> loginShell: /bin/bash
> 24.
> uidNumber: 10007
> 25.
> gidNumber: 10007
> 26.
> homeDirectory: /home/ldap_users/USER
> 27.
> gecos: ,,,
>
>
>
> and I'm wondering how to create a filter to match only members of a
> given Group in order to use it with Apache2 or others ...
>
> The difficulty for me is to obtain the posixAccount object and not the
> Group one.

You can't return account objects from a search based on groups, whatever 
the filter. Not with one LDAP search, anyway.

Most LDAP clients can check whether an entry is a member of a group. 
Apache's LDAP auth[nz] module does it too, see:
http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#reqgroup

Regards,
Jonathan