[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Ldap filter to get group members
On Mon, May 14, 2012 at 08:06:41PM +0530, dhanushka ranasinghe wrote:
> i have a LDAP server and its has a group called .
>
> cn=internal ou=group,dc=example,dc=com
>
> --users of this group is :
>
> uid=user1,ou=user,dc=example,dc=com
> uid=user2,ou=user,dc=example,dc=com
> i need to only to authenticate the users under cn=internal ....
I assume you mean "I only want to allow users of this group to access
some resource"
> This is what we are using
>
> (&(objectClass=groupOfNames)(memberOf=CN=internal,OU=group,DC=example,DC=com))
>
> seems like its not working ..
>
> what the LDAP search filter i need to use to get only the members of the cn=
> internal group authenticated...
I think it would be best to use several LDAP operations rather than
trying to do everything in one go. For example:
1) Search for user:
base: ou=user,dc=example,dc=com
filter: (&(objectclass=account)(uid=<username>))
If the user exists, note the DN of the entry found.
2) Authenticate user:
Bind as the user DN using the user-supplied password
If this fails, deny access.
3) Re-bind as a system user (or anon if that has enough access)
4) Check authorisation:
Search base: CN=internal,OU=group,DC=example,DC=com
Search scope: base
Filter: (member=<user DN>)
Return attributes: cn
If this returns an entry then the user is in the authorisation
group and should be allowed to use the resource. Otherwise,
deny access.
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------