[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: memberOf as misuse of data model


Envoyà de mon iPhone.


Le 1 mars 2012 Ã 18:47, Howard Chu <hyc@symas.com> a Ãcrit :

> Olivier wrote:
>> Hello Howard,
>> 
>>> There are two common operations on a group: list all the members, and see if
>>> user X is a member of a group. For the first case, just retrieve the group
>>> entry and look at its member attribute. For the second case, just do a
>>> Compare on the group and test the member attribute against the user's DN.
>> 
>> Ok, but :
>> 
>> Let say that I want to grant access to an application only for users of a
>> specific group : what would be the filter to use ?
> 
> There is no filter. You simply set a slapd ACL granting access to the group. Read the slapd.access(5) manpage, or the Admin Guide, or the FAQ.
> 
>> Anonther way to ask that is : what is the trick to retrieve posixAccount (or
>> inetOrgPerson) objects that are member of a specific posixgroup (or
>> groupofnames) ?
> 
> I don't see why any application needs to do this.

This should be very useful for a 
mailing list software

>> Aka : if posixgroup gogo is like this
>> 
>> # gogo, group, toto.fr
>> dn: cn=gogo,ou=group,dc=toto,dc=fr
>> objectClass: posixGroup
>> gidNumber: 17000
>> cn: gogo
>> memberUid: gui
>> memberUid: lev
>> 
>> What is the filter to retreive exactly this :
>> 
>> # gui, staff, people, toto.fr
>> dn: uid=gui,ou=staff,ou=people,dc=gui,dc=fr
>> cn: gui lou
>> givenName: Gui
>> homeDirectory: /home/gui
>> loginShell: /bin/tcsh
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: inetOrgPerson
>> objectClass: posixAccount
>> sn: Gui
>> uid: gui
>> uidNumber: 1041
>> userPassword:: e1AZE4N1k=
>> gidNumber: 18004
>> 
>> # lev, staff, people, toto.fr
>> dn: uid=lev,ou=staff,ou=people,dc=toto,dc=fr
>> cn:Lev Luv
>> givenName: Lev
>> homeDirectory: /home/lev
>> loginShell: /bin/bash
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: inetOrgPerson
>> objectClass: posixAccount
>> sn: Lev
>> uid: lev
>> uidNumber: 1041
>> userPassword:: eFjQVNCZEZzN1k=
>> gidNumber: 18004
>> 
>> 
>> 
>> 
>> 
>> 2012/1/20 Howard Chu<hyc@symas.com>:
>>> Felipe Augusto van de Wiel wrote:
>>>> 
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA512
>>>> 
>>>> Hello,
>>>> 
>>>> On 19-01-2012 15:14, Howard Chu wrote:
>>>>> 
>>>>> Dunno. IMO most people using memberOf are misusing the data model
>>>>> anyway, so it's of little interest.
>>>> 
>>>> 
>>>> Out of curiosity (and because I do try to avoid misusing the data
>>>> model), why in your opinion memberOf represents a misuse?
>>> 
>>> 
>>> There are two common operations on a group: list all the members, and see if
>>> user X is a member of a group. For the first case, just retrieve the group
>>> entry and look at its member attribute. For the second case, just do a
>>> Compare on the group and test the member attribute against the user's DN.
> 
> 
> 
> -- 
>  -- Howard Chu
>  CTO, Symas Corp.           http://www.symas.com
>  Director, Highland Sun     http://highlandsun.com/hyc/
>  Chief Architect, OpenLDAP  http://www.openldap.org/project/
>