Envoyé de mon iPhone.
Le 1 mars 2012 à 18:47, Howard Chu <[email protected]> a écrit : > Olivier wrote: >> Hello Howard, >> >>> There are two common operations on a group: list all the members, and see if >>> user X is a member of a group. For the first case, just retrieve the group >>> entry and look at its member attribute. For the second case, just do a >>> Compare on the group and test the member attribute against the user's DN. >> >> Ok, but : >> >> Let say that I want to grant access to an application only for users of a >> specific group : what would be the filter to use ? > > There is no filter. You simply set a slapd ACL granting access to the group. > Read the slapd.access(5) manpage, or the Admin Guide, or the FAQ. > >> Anonther way to ask that is : what is the trick to retrieve posixAccount (or >> inetOrgPerson) objects that are member of a specific posixgroup (or >> groupofnames) ? > > I don't see why any application needs to do this. This should be very useful for a mailing list software >> Aka : if posixgroup gogo is like this >> >> # gogo, group, toto.fr >> dn: cn=gogo,ou=group,dc=toto,dc=fr >> objectClass: posixGroup >> gidNumber: 17000 >> cn: gogo >> memberUid: gui >> memberUid: lev >> >> What is the filter to retreive exactly this : >> >> # gui, staff, people, toto.fr >> dn: uid=gui,ou=staff,ou=people,dc=gui,dc=fr >> cn: gui lou >> givenName: Gui >> homeDirectory: /home/gui >> loginShell: /bin/tcsh >> objectClass: top >> objectClass: person >> objectClass: organizationalPerson >> objectClass: inetOrgPerson >> objectClass: posixAccount >> sn: Gui >> uid: gui >> uidNumber: 1041 >> userPassword:: e1AZE4N1k= >> gidNumber: 18004 >> >> # lev, staff, people, toto.fr >> dn: uid=lev,ou=staff,ou=people,dc=toto,dc=fr >> cn:Lev Luv >> givenName: Lev >> homeDirectory: /home/lev >> loginShell: /bin/bash >> objectClass: top >> objectClass: person >> objectClass: organizationalPerson >> objectClass: inetOrgPerson >> objectClass: posixAccount >> sn: Lev >> uid: lev >> uidNumber: 1041 >> userPassword:: eFjQVNCZEZzN1k= >> gidNumber: 18004 >> >> >> >> >> >> 2012/1/20 Howard Chu<[email protected]>: >>> Felipe Augusto van de Wiel wrote: >>>> >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA512 >>>> >>>> Hello, >>>> >>>> On 19-01-2012 15:14, Howard Chu wrote: >>>>> >>>>> Dunno. IMO most people using memberOf are misusing the data model >>>>> anyway, so it's of little interest. >>>> >>>> >>>> Out of curiosity (and because I do try to avoid misusing the data >>>> model), why in your opinion memberOf represents a misuse? >>> >>> >>> There are two common operations on a group: list all the members, and see if >>> user X is a member of a group. For the first case, just retrieve the group >>> entry and look at its member attribute. For the second case, just do a >>> Compare on the group and test the member attribute against the user's DN. > > > > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/ >
