Okay Guys! I have solved this problem in the way below.
*I create a simple Python 2.7 script that stores each user's posixGroup associations in their pgMemberOf (memberOf) attribute. The purpose is to enable search filters like below...* MODEL ldapsearch -x -H 'ldap://127.0.0.1:389' -b 'ou=persons,dc=domain,dc=abc,dc=de' \ -D 'cn=admin,dc=domain,dc=abc,dc=de' \ -w 'mySecretValue' \ '(&(pgMemberOf=cn=certaingroup,ou=groups,dc=domain,dc=abc,dc=de)(uid=certainuid))' EXAMPLE ldapsearch -x -H '<OPENLDAP_URI>' -b '<PERSONS_OU>,<BASE_DN>' \ -D '<ADM_USER_DN>' \ -w '<ADM_USER_PASSWORD>' \ '(&(pgMemberOf=cn=<PSX_GROUP_CN>,<GROUPS_OU>,<BASE_DN)(uid=<PERSON_UID>))' This script is useful for cases where we already have an OpenLDAP installed and we want to make filters available for Posix Groups that already exists in a very simple way and without creating new types of groups. Also useful when unable to install overlays or when this process is too laborious or risky. *The project is in this repository:* https://github.com/eduardolucioac/psx-grp-flt *Thanks! =D* Em ter., 3 de ago. de 2021 às 13:34, Benjamin Renard < [email protected]> escreveu: > > > Le 03/08/2021 à 17:52, Quanah Gibson-Mount a écrit : > > > > > > --On Tuesday, August 3, 2021 4:42 PM +0200 Benjamin Renard > > <[email protected]> wrote: > > > >> Hello, > >> > >> Le 30/07/2021 à 18:37, Quanah Gibson-Mount a écrit : > >>> You want OpenLDAP 2.5's version of dynlist. > >> Just be sure, could-you please resume me the benefits when using > OpenLDAP > >> 2.5's version of dynlist overlay ? It's now possible to use "memberOf" > >> (like) attributes in a filtering clause ? > > > > You could just read the 2.5 man page. > > > > < > https://www.openldap.org/software/man.cgi?query=slapo-dynlist&apropos=0&sektion=0&manpath=OpenLDAP+2.5-Release&arch=default&format=html> > > I tried, but it's quite difficult to extract the new features :) > Moreover, the new configuration syntax of the dynlist-attrset directive > is quite complicated to learn and interpret. I have a presentiment that > it's really powerful, but it will take some tests to understand the > subtleties and all the possibilities that this offers. > > > But yes, you can use the dynamically generated memberOf in ldap filters. > > > > You may also want to look at the dynlist test script, from line 749 on. > > > > < > https://git.openldap.org/openldap/openldap/-/blob/OPENLDAP_REL_ENG_2_5/tests/scripts/test044-dynlist#L749> > > I see and it's a great added ! > > Thank you, > > -- > Benjamin Renard - Easter-eggs > 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité > Phone: +33 (0) 1 43 35 00 37 - Fax: +33 (0) 1 43 35 00 76 > mailto:[email protected] - http://www.easter-eggs.com > -- *Eduardo Lúcio* Tecnologia, Desenvolvimento e Software Livre LightBase Consultoria em Software Público [email protected] <[email protected]> *+55-61-3347-1949* - http://brlight.org <[email protected]> - *Brasil-DF* *Software livre! Abrace essa idéia! * *"Aqueles que negam liberdade aos outros não a merecem para si mesmos."* *Abraham Lincoln*
