On 4.9.2014 14:28, Martin Kosek wrote:
Actually, FreeIPA&bind-dynd-ldap use idnszoneactive attribute (TRUE/FALSE) to
define which zones are active and which are not.

Martin is right, I will add couple more details about this:
idnszoneactive attribute should work in bind-dyndb-ldap < 4.0.

Versions >= 4.0 do not support it yet. This defficiency is tracked in https://fedorahosted.org/bind-dyndb-ldap/ticket/127

You have couple options as a workaround:
1) Use older version of bind-dyndb-ldap :-)

2) Use LDAP transformation on server side so the server doesn't return objects from sub-tree with idnszoneactive attribute = FALSE.

3) Try some ACI magic on server side so it will not return objects from given sub-tree if idnszoneactive = FALSE. (This seems to be easiest option to me.)

Have a nice day!

Petr^2 Spacek

On 09/04/2014 02:23 PM, Chris Whittle wrote:
Look at nsaccountlock if it's TRUE then they are disabled.

On Thu, Sep 4, 2014 at 7:20 AM, Sebastian Leitz <sebastian.le...@etes.de>


I am trying to use bind-dyndb-ldap to connect my BIND to an LDAP server
for zones. I have a tiny question regarding this and both the project
website and the kind people on #freeipa IRC directed me to this list. I
hope someone is here who can answer my question. Sorry for intruding if I'm
not asking in the correct place.

For technical reasons we need to be able to filter zones in LDAP according
to some flags, e.g. 'enabled'.
Other services usually provide a config option to include LDAP search
filters in every query, like

ldap_search_filter = (enabled=1)

Unfortunately, I can't find anything like this in the README file of
bind-dyndb-ldap. Does anybody know of a way to pass a search filter to LDAP?

Thanks in advance,


Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to