Re: [rt-users] LDAP d filter question
Kevin Falcone wrote: On Thu, Jul 08, 2010 at 11:50:45AM -0700, Kenneth Crocker wrote: I noticed that the info for LDAP when using ExternalAuth mentions that you MUST have a d filter defined. My quick question is why? If my regular filter is working, anyone not meeting that specification will be denied anyway, so why the must for the d filter? It's just part of the way it's designed and the way LDAP filters are generated. It's not brilliant, but it works well. If you don't need it, make it the empty string -kevin Have you tested that? I haven't checked within living memory, but my general recommendation is to use something like (objectClass=ScoobyDoo) so you guarantee not to match. I'm not sure than an empty string won't cause a syntax failure on lookup. -- Kind Regards, __ Mike Peachey, IT Systems Administrator Tel: +44 114 281 2655 Fax: +44 114 281 2951 Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK Comp Reg No: 3191371 - Registered In England http://www.jennic.com __ Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] LDAP d filter question
On Fri, Jul 09, 2010 at 08:55:11AM +0100, Mike Peachey wrote: If you don't need it, make it the empty string Have you tested that? I haven't checked within living memory, but my general recommendation is to use something like (objectClass=ScoobyDoo) so you guarantee not to match. I'm not sure than an empty string won't cause a syntax failure on lookup. unless ($d_filter) { # If we don't know how to check for disabled users, consider them all enabled. $RT::Logger-debug(No d_filter specified for this LDAP service (, $service, ), so considering all users enabled); return 0; } -kevin pgppV2NuYjDxh.pgp Description: PGP signature Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] LDAP d filter question
Kevin Falcone wrote: On Fri, Jul 09, 2010 at 08:55:11AM +0100, Mike Peachey wrote: If you don't need it, make it the empty string Have you tested that? I haven't checked within living memory, but my general recommendation is to use something like (objectClass=ScoobyDoo) so you guarantee not to match. I'm not sure than an empty string won't cause a syntax failure on lookup. unless ($d_filter) { # If we don't know how to check for disabled users, consider them all enabled. $RT::Logger-debug(No d_filter specified for this LDAP service (, $service, ), so considering all users enabled); return 0; } -kevin Ah yes. -- Kind Regards, __ Mike Peachey, IT Systems Administrator Tel: +44 114 281 2655 Fax: +44 114 281 2951 Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK Comp Reg No: 3191371 - Registered In England http://www.jennic.com __ Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
[rt-users] LDAP d filter question
To list, I noticed that the info for LDAP when using ExternalAuth mentions that you * MUST* have a d filter defined. My quick question is why? If my regular filter is working, anyone not meeting that specification will be denied anyway, so why the *must* for the d filter? Kenn LBNL Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com