Hello Howard, > There are two common operations on a group: list all the members, and see if > user X is a member of a group. For the first case, just retrieve the group > entry and look at its member attribute. For the second case, just do a > Compare on the group and test the member attribute against the user's DN.
Ok, but : Let say that I want to grant access to an application only for users of a specific group : what would be the filter to use ? Anonther way to ask that is : what is the trick to retrieve posixAccount (or inetOrgPerson) objects that are member of a specific posixgroup (or groupofnames) ? Aka : if posixgroup gogo is like this # gogo, group, toto.fr dn: cn=gogo,ou=group,dc=toto,dc=fr objectClass: posixGroup gidNumber: 17000 cn: gogo memberUid: gui memberUid: lev What is the filter to retreive exactly this : # gui, staff, people, toto.fr dn: uid=gui,ou=staff,ou=people,dc=gui,dc=fr cn: gui lou givenName: Gui homeDirectory: /home/gui loginShell: /bin/tcsh objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount sn: Gui uid: gui uidNumber: 1041 userPassword:: e1AZE4N1k= gidNumber: 18004 # lev, staff, people, toto.fr dn: uid=lev,ou=staff,ou=people,dc=toto,dc=fr cn:Lev Luv givenName: Lev homeDirectory: /home/lev loginShell: /bin/bash objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount sn: Lev uid: lev uidNumber: 1041 userPassword:: eFjQVNCZEZzN1k= gidNumber: 18004 2012/1/20 Howard Chu <[email protected]>: > Felipe Augusto van de Wiel wrote: >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA512 >> >> Hello, >> >> On 19-01-2012 15:14, Howard Chu wrote: >>> >>> Dunno. IMO most people using memberOf are misusing the data model >>> anyway, so it's of little interest. >> >> >> Out of curiosity (and because I do try to avoid misusing the data >> model), why in your opinion memberOf represents a misuse? > > > There are two common operations on a group: list all the members, and see if > user X is a member of a group. For the first case, just retrieve the group > entry and look at its member attribute. For the second case, just do a > Compare on the group and test the member attribute against the user's DN. >> >> >> Kind regards, >> - -- >> Felipe Augusto van de Wiel<[email protected]> >> Tecnologia da Informação (TI) - Complexo Pequeno Príncipe >> http://www.pequenoprincipe.org.br/ T: +55 41 3310 1747 >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.11 (GNU/Linux) >> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ >> >> iQIcBAEBCgAGBQJPGHjGAAoJECCPPxLgxLxPx0kP/A1vueiP4471kk8YrAv72wsQ >> 6L+++LZTPcNCkxBGbQK/cUnncV0S/h6wkSbHFMiZO1pfx8QWUITgw3L1hPSBxnGA >> stWvcrIf9MeoigqzQuPgDbQ/TppganSA0cGyGEM0a5H0+GxhqbwLMFa3MGw49DOD >> FElsd1muDo/uKKgAlGU27zNs9Oysi3ICw5CBIp9bLGcrKX0xpq3hjP4wyS0/hDRu >> euLFr+F7EYdvOQ16rzB3CQv6UWmDvYg76Km8VuzG+UEnR4DcNiAbNKR6Fm22kv/w >> O2ifUXdOnVLugiHekRF2VXYzYO3XNxg7wqORObhePRAsnobjE9p/lXEt+c7Pf938 >> WJBcHAa3NUS7JKQIK3TEC/iAfx+3/BHvDYXyoa57YK4MOdbv1GCgZLD8mTKSyATo >> r/CdxrfoVv8YI6D+Lo4x+0dGjwbXBeIP1ArWT4li23c8TTMi7H6NYPbRCBc0LvaQ >> 22ifiDfE9TxhonXwMgbG5ONybrWeX9/Os//ofJXqWY2qXP4p3H0ceALDBmAI6LpP >> NEvaGh1OA2hDEUq+XpFg9TJDN9+WXlZ3tz135H1WUHXyik8xzHZOSSFFWd/LhIcI >> 3pyo5T+0xjf+3dA4Gn31iGp8CxakTkkJpdeUiZ2mHwHHgTDU72y5p6DudycRq5uK >> 3cldhqzDAktL1JA1AIHK >> =gFGM >> -----END PGP SIGNATURE----- >> >> > > > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/ >
