[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Search only few subtrees under baseDN
- To: Philip Guenther <pguenther@proofpoint.com>
- Subject: Re: Search only few subtrees under baseDN
- From: Ervin Hegedüs <airween@gmail.com>
- Date: Thu, 10 May 2018 22:44:54 +0200
- Cc: openldap-technical@openldap.org
- Content-disposition: inline
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to :user-agent; bh=ovUNWTg529Xz0HhcSgaMGQi5bIfDtCDgZbCcLQ9P9Ik=; b=kCe+0KNljm4Z6Ml8h/dWgldM2GBNIJD6ZgQol5eUMAGzqBIOBQAohizY/G8WjnstcU CFhyDAcoHzjHx1iT+HYATDDjeuVwl3TukQc0HPnSzaywdLBCIZQQZoYa5eoNAa5opxxb 6B8n0pKZr20fh0IrBRnS8wc94KP59FNo9i9pHU37cqb1fEK8bD+ywaSFME1Ei3WSgEy2 y/mkTVmO09E5WbvufYbUkpfrHJWyk0UgumpPuBhcBITbgHJwjBQYxZ4T3QHWZcCG6ytI 3+np9noCUEcAkwXmS9pMz29lJrqLyR0/PiX5FCAyCpVW5eKraSq9gE3DaOysRpDyaugr Jv9g==
- In-reply-to: <alpine.BSO.2.21.1805100908530.50228@morgaine.local>
- References: <20180509110005.GA23312@arxnet.hu> <20180510160248.GA6878@arxnet.hu> <alpine.BSO.2.21.1805100908530.50228@morgaine.local>
- User-agent: Mutt/1.5.24 (2015-08-30)
Hi Philip,
thanks for the reply,
On Thu, May 10, 2018 at 09:12:18AM -0700, Philip Guenther wrote:
> On Thu, 10 May 2018, Ervin Hegedüs wrote:
> > On Wed, May 09, 2018 at 01:00:05PM +0200, Ervin Hegedüs wrote:
> > > Is there any way to set up one or more ACL's, where admin1 user
> > > can set up the dc=sub-company21,dc=company2,dc=hu as baseDN, and
> > > can start to search from there, but he will see the entries only
> > > from ou=orgunit1 and ou=orgunit2?
> >
> > if there isn't any solution with ACL, can I make it some other
> > way? I mean, back_meta, rewrite, or other overlay solutions...?
>
> An LDAP filter can test the components of an entry's DN with a clause such
> as:
> (|(ou:dn:=orgunit1)(ou:dn:=orgunit2))
>
> Note the ":dn" syntax there.
thanks - it doesn't work.
ldapsearch -H ldaps://ldap:636 -b "dc=sub-company21,dc=company,dc=hu" -D "cn=admin,dc=hu" -W "(ou:dn:=orgunit1)"
works, and the result reduced only for the OU=orgunit1,dc=sub-....
so, the syntax (and idea :)) is right.
ldapsearch -H ldaps://ldap:636 -b "ou=orgunit1,dc=sub-company21,dc=company2,dc=hu" -D "uid=adminuser1,ou=Users,ou=_srv,dc=sub-company21,dc=company2,dc=hu" -W "(ou:dn:=orgunit1)"
also works, but the baseDN starts with "ou=orgunit1", which is
sets up exactly in ACL.
finally,
ldapsearch -H ldaps://ldap:636 -b "dc=sub-company21,dc=company2,dc=hu" -D "uid=adminuser1,ou=Users,ou=_srv,dc=sub-company21,dc=company2,dc=hu" -W "(ou:dn:=orgunit1)"
where the baseDN is the parent of allowed OU's, and filter
contains the allowed OU('s), then it doesn't work.
Note, that if it should worked, I'm not sure that this could be
usable, because in most LDAP GUI, the connection settings doesn't
contains any filter option, only the baseDN, what you can set up.
> Perhaps an ACL using an LDAP filter containing something like that would
> be part of a solution.
could you show me any example?
Thanks for your help,
a.