[Freeipa-users] Filters in bind-dyndb-ldap
Hello, I am trying to use bind-dyndb-ldap to connect my BIND to an LDAP server for zones. I have a tiny question regarding this and both the project website and the kind people on #freeipa IRC directed me to this list. I hope someone is here who can answer my question. Sorry for intruding if I'm not asking in the correct place. For technical reasons we need to be able to filter zones in LDAP according to some flags, e.g. 'enabled'. Other services usually provide a config option to include LDAP search filters in every query, like ldap_search_filter = (enabled=1) Unfortunately, I can't find anything like this in the README file of bind-dyndb-ldap. Does anybody know of a way to pass a search filter to LDAP? Thanks in advance, Sebastian -- Sebastian Leitz Mail: sebastian.le...@etes.de ETES GmbH Fon : +49 (7 11) 48 90 83 - 14 Gablenberger Hauptstrasse 32 Fax : +49 (7 11) 48 90 83 - 50 D-70186 Stuttgart Web : http://www.etes.de/ Registergericht: Amtsgericht Stuttgart HRB 721182 Geschäftsführender Gesellschafter: Markus Espenhain Sitz der Gesellschaft: Stuttgart USt.-Id.Nr.: DE814767446 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Filters in bind-dyndb-ldap
Look at nsaccountlock if it's TRUE then they are disabled. On Thu, Sep 4, 2014 at 7:20 AM, Sebastian Leitz sebastian.le...@etes.de wrote: Hello, I am trying to use bind-dyndb-ldap to connect my BIND to an LDAP server for zones. I have a tiny question regarding this and both the project website and the kind people on #freeipa IRC directed me to this list. I hope someone is here who can answer my question. Sorry for intruding if I'm not asking in the correct place. For technical reasons we need to be able to filter zones in LDAP according to some flags, e.g. 'enabled'. Other services usually provide a config option to include LDAP search filters in every query, like ldap_search_filter = (enabled=1) Unfortunately, I can't find anything like this in the README file of bind-dyndb-ldap. Does anybody know of a way to pass a search filter to LDAP? Thanks in advance, Sebastian -- Sebastian Leitz Mail: sebastian.le...@etes.de ETES GmbH Fon : +49 (7 11) 48 90 83 - 14 Gablenberger Hauptstrasse 32 Fax : +49 (7 11) 48 90 83 - 50 D-70186 Stuttgart Web : http://www.etes.de/ Registergericht: Amtsgericht Stuttgart HRB 721182 Geschäftsführender Gesellschafter: Markus Espenhain Sitz der Gesellschaft: Stuttgart USt.-Id.Nr.: DE814767446 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Filters in bind-dyndb-ldap
Actually, FreeIPAbind-dynd-ldap use idnszoneactive attribute (TRUE/FALSE) to define which zones are active and which are not. On 09/04/2014 02:23 PM, Chris Whittle wrote: Look at nsaccountlock if it's TRUE then they are disabled. On Thu, Sep 4, 2014 at 7:20 AM, Sebastian Leitz sebastian.le...@etes.de wrote: Hello, I am trying to use bind-dyndb-ldap to connect my BIND to an LDAP server for zones. I have a tiny question regarding this and both the project website and the kind people on #freeipa IRC directed me to this list. I hope someone is here who can answer my question. Sorry for intruding if I'm not asking in the correct place. For technical reasons we need to be able to filter zones in LDAP according to some flags, e.g. 'enabled'. Other services usually provide a config option to include LDAP search filters in every query, like ldap_search_filter = (enabled=1) Unfortunately, I can't find anything like this in the README file of bind-dyndb-ldap. Does anybody know of a way to pass a search filter to LDAP? Thanks in advance, Sebastian -- Sebastian Leitz Mail: sebastian.le...@etes.de ETES GmbH Fon : +49 (7 11) 48 90 83 - 14 Gablenberger Hauptstrasse 32 Fax : +49 (7 11) 48 90 83 - 50 D-70186 Stuttgart Web : http://www.etes.de/ Registergericht: Amtsgericht Stuttgart HRB 721182 Geschäftsführender Gesellschafter: Markus Espenhain Sitz der Gesellschaft: Stuttgart USt.-Id.Nr.: DE814767446 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Filters in bind-dyndb-ldap
On 4.9.2014 14:28, Martin Kosek wrote: Actually, FreeIPAbind-dynd-ldap use idnszoneactive attribute (TRUE/FALSE) to define which zones are active and which are not. Martin is right, I will add couple more details about this: idnszoneactive attribute should work in bind-dyndb-ldap 4.0. Versions = 4.0 do not support it yet. This defficiency is tracked in https://fedorahosted.org/bind-dyndb-ldap/ticket/127 You have couple options as a workaround: 1) Use older version of bind-dyndb-ldap :-) 2) Use LDAP transformation on server side so the server doesn't return objects from sub-tree with idnszoneactive attribute = FALSE. 3) Try some ACI magic on server side so it will not return objects from given sub-tree if idnszoneactive = FALSE. (This seems to be easiest option to me.) Have a nice day! Petr^2 Spacek On 09/04/2014 02:23 PM, Chris Whittle wrote: Look at nsaccountlock if it's TRUE then they are disabled. On Thu, Sep 4, 2014 at 7:20 AM, Sebastian Leitz sebastian.le...@etes.de wrote: Hello, I am trying to use bind-dyndb-ldap to connect my BIND to an LDAP server for zones. I have a tiny question regarding this and both the project website and the kind people on #freeipa IRC directed me to this list. I hope someone is here who can answer my question. Sorry for intruding if I'm not asking in the correct place. For technical reasons we need to be able to filter zones in LDAP according to some flags, e.g. 'enabled'. Other services usually provide a config option to include LDAP search filters in every query, like ldap_search_filter = (enabled=1) Unfortunately, I can't find anything like this in the README file of bind-dyndb-ldap. Does anybody know of a way to pass a search filter to LDAP? Thanks in advance, Sebastian -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Filters in bind-dyndb-ldap
Thanks, Martin and Petr, for your comments and the workaround. As we're internally still on an old version of bind-dyndb-ldap I can actually use the LDAP attribute to achieve what I desire. Yeah! As for the future, I opended https://bugzilla.redhat.com/show_bug.cgi?id=1138317, if anybody is interested to upvote :-) -Ursprüngliche Nachricht- Von:Petr Spacek pspa...@redhat.com Gesendet: Don 4 September 2014 15:23 An: freeipa-users@redhat.com Betreff: Re: [Freeipa-users] Filters in bind-dyndb-ldap On 4.9.2014 14:28, Martin Kosek wrote: Actually, FreeIPAbind-dynd-ldap use idnszoneactive attribute (TRUE/FALSE) to define which zones are active and which are not. Martin is right, I will add couple more details about this: idnszoneactive attribute should work in bind-dyndb-ldap 4.0. Versions = 4.0 do not support it yet. This defficiency is tracked in https://fedorahosted.org/bind-dyndb-ldap/ticket/127 You have couple options as a workaround: 1) Use older version of bind-dyndb-ldap :-) 2) Use LDAP transformation on server side so the server doesn't return objects from sub-tree with idnszoneactive attribute = FALSE. 3) Try some ACI magic on server side so it will not return objects from given sub-tree if idnszoneactive = FALSE. (This seems to be easiest option to me.) Have a nice day! Petr^2 Spacek On 09/04/2014 02:23 PM, Chris Whittle wrote: Look at nsaccountlock if it's TRUE then they are disabled. On Thu, Sep 4, 2014 at 7:20 AM, Sebastian Leitz sebastian.le...@etes.de wrote: Hello, I am trying to use bind-dyndb-ldap to connect my BIND to an LDAP server for zones. I have a tiny question regarding this and both the project website and the kind people on #freeipa IRC directed me to this list. I hope someone is here who can answer my question. Sorry for intruding if I'm not asking in the correct place. For technical reasons we need to be able to filter zones in LDAP according to some flags, e.g. 'enabled'. Other services usually provide a config option to include LDAP search filters in every query, like ldap_search_filter = (enabled=1) Unfortunately, I can't find anything like this in the README file of bind-dyndb-ldap. Does anybody know of a way to pass a search filter to LDAP? Thanks in advance, Sebastian -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Sebastian Leitz Mail: sebastian.le...@etes.de ETES GmbH Fon : +49 (7 11) 48 90 83 - 14 Gablenberger Hauptstrasse 32 Fax : +49 (7 11) 48 90 83 - 50 D-70186 Stuttgart Web : http://www.etes.de/ Registergericht: Amtsgericht Stuttgart HRB 721182 Geschäftsführender Gesellschafter: Markus Espenhain Sitz der Gesellschaft: Stuttgart USt.-Id.Nr.: DE814767446 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project