Re: query across ou

[Liam Gretton <liam.gretton@leicester.ac.uk>]

On 29/04/2015 07:59, Michael Ströder wrote:
> Chuck Theobald wrote:
>> Is there a way to perform a single query an LDAP database such that I can
>> retrieve the group name (cn) from a user's full name (cn). My structure holds
>> user accounts in ou=People and groups in ou=Group. I know I can ask for
>> gidNumber from the People tree, then reference the group in the Group tree,
>> but with an SQL background, I would like a single query.
> 
> Not feasible in general. The LDAP functional model is much simpler than SQL.
> 
> Depending on the group schema used in your deployment you could configure the 
> server with slapo-memberof. Then slapd maintains a back-link to the group 
> entries from the member entry. By default it's attribute 'memberOf' 
> (configurable) and always contains the full DN of all group entries. This only 
> works if using RFC 2307bis style posixGroup entries with attribute 'member' 
> pointing to member entries (not 'memberUID').

I think what Chuck wants to do is dereference a user's primary group ID
from their gidNumber attribute to get the group name. The primary group
does not appear in the memberOf list with slapo-memberof as the user
won't be in the list of members for that group.

Only way is indeed to do two lookups: get the user's gidNumber, then the
group name associated with the gidNumber.

-- 
Liam Gretton                                    liam.gretton@le.ac.uk
Systems Specialist                           http://www.le.ac.uk/its/
IT Services                                   Tel: +44 (0)116 2522254
University Of Leicester, University Road
Leicestershire LE1 7RH, United Kingdom