[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Ldap filter to get group members



dhanushka ranasinghe wrote:
Hi guys...

Thanks for the reply ,

i tried many ldap filters according to the suggestion made by andrew..but i
unable to get it work.. any idea  how write such a filter.

Thank You


On 15 May 2012 03:03, Andrew Findlay <andrew.findlay@skills-1st.co.uk
<mailto:andrew.findlay@skills-1st.co.uk>> wrote:

    On Mon, May 14, 2012 at 08:06:41PM +0530, dhanushka ranasinghe wrote:

     > i have a LDAP server and its has a group called .
     >
     > cn=internal ou=group,dc=example,dc=com
     >
     > --users of this group is :
     >
     > uid=user1,ou=user,dc=example,dc=com
     > uid=user2,ou=user,dc=example,dc=com

     > i need to only to authenticate the users under cn=internal ....

    I assume you mean "I only want to allow users of this group to access
    some resource"

     > This is what we are using
     >
     >
    (&(objectClass=groupOfNames)(memberOf=CN=internal,OU=group,DC=example,DC=com))
     >
     > seems like its not working ..
     >
     > what the LDAP search filter i need to use to get only the members of
    the cn=
     > internal group  authenticated...

    I think it would be best to use several LDAP operations rather than
    trying to do everything in one go. For example:

    1)      Search for user:
                    base: ou=user,dc=example,dc=com
                    filter: (&(objectclass=account)(uid=<username>))
            If the user exists, note the DN of the entry found.

    2)      Authenticate user:
                    Bind as the user DN using the user-supplied password
            If this fails, deny access.

    3)      Re-bind as a system user (or anon if that has enough access)

    4)      Check authorisation:
                    Search base: CN=internal,OU=group,DC=example,DC=com
                    Search scope: base
                    Filter: (member=<user DN>)
                    Return attributes: cn
            If this returns an entry then the user is in the authorisation
            group and should be allowed to use the resource. Otherwise,
            deny access.

Step 4 should just be an LDAP Compare operation.


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/