On 29/04/2015 07:59, Michael Ströder wrote: > Chuck Theobald wrote: >> Is there a way to perform a single query an LDAP database such that I can >> retrieve the group name (cn) from a user's full name (cn). My structure holds >> user accounts in ou=People and groups in ou=Group. I know I can ask for >> gidNumber from the People tree, then reference the group in the Group tree, >> but with an SQL background, I would like a single query. > > Not feasible in general. The LDAP functional model is much simpler than SQL. > > Depending on the group schema used in your deployment you could configure the > server with slapo-memberof. Then slapd maintains a back-link to the group > entries from the member entry. By default it's attribute 'memberOf' > (configurable) and always contains the full DN of all group entries. This > only > works if using RFC 2307bis style posixGroup entries with attribute 'member' > pointing to member entries (not 'memberUID').
I think what Chuck wants to do is dereference a user's primary group ID from their gidNumber attribute to get the group name. The primary group does not appear in the memberOf list with slapo-memberof as the user won't be in the list of members for that group. Only way is indeed to do two lookups: get the user's gidNumber, then the group name associated with the gidNumber. -- Liam Gretton [email protected] Systems Specialist http://www.le.ac.uk/its/ IT Services Tel: +44 (0)116 2522254 University Of Leicester, University Road Leicestershire LE1 7RH, United Kingdom
