Hallo I need help to optimize a LDAP Filter string because the Ldap filter is too long (maximum is 255 characters) for my tool (Foreman).
My LDAP curent Ldap filter
(|
(memberOf=cn=admingoup,ou=groups,OU=admin,DC=xxx,DC=de)
(memberOf=CN=group1,OU=dd,OU=cc,OU=ab,DC=xxx,DC=de)
(memberOf=CN=group2,OU=dd,OU=cc,OU=ab,DC=xxx,DC=de)
)
This work but i need a soultion like
(|
(memberOf=cn=admingoup,ou=groups,OU=admin,DC=xxx,DC=de)
(memberOf=CN=*,OU=dd,OU=cc,OU=ab,DC=xxx,DC=de)
)
I don't think you can work your way out without making modifications on your constraints somewhere :
Allow longer filter in foreman
Modify the LDAP directory to allow substring match on the memberOf attribute
Modify your filter. A way to do it could be :
search base dn : DC=xxx,DC=de
search filter : (&(objectclass=group)(|(cn=admingroup)(cn=group1)(cn=group2))) (This is an example, the point is to match only the group you need, maybe using the entry id if necessary)
attribute retrieve member (or the equivalent)
What it will do is to retrieve all the members of these groups, dupplicate members should not be a probleme for access control I presume
Related
I am attempting to use the REST API to limit the result set of a SoftLayer_Account/getVirtualServers call. I want to use an object filter to limit based on the fully qualified domain name. I am passing the object filter like:
'{"virtualGuests":{"fullyQualifiedDomainName":{"operation":"cds-testprov-server-2.bluemix.net"}}}';
However, the filter is being ignored. If I try some of the other virtual guest values to filter on, like:
'{"virtualGuests":{"primaryBackendIpAddress":{"operation":"10.114.220.20"}}}'
'{"virtualGuests":{"id":{"operation":"10098133"}}}';
it works as expected. Is there something about the fullyQualifiedDomainName field that doesn't allow the use of the objectFilter?
yep, you cannot apply a filter over "fullyQualifiedDomainName" I think is because the field is not stored in the database this is generated using the hostname and domain, so you should apply the filter over the hostname and the domain. You can use this filter:
{"virtualGuests":{"hostname":{"operation": "oeg-search1"}, "domain":{"operation": "oeg.dal.slcommunity.org"}}}
Regards
I have an ldap entry cn=My Name,ou=users,dc=domain,dc=com with these attributes among others:
mail: test#domain.com
mail: test2#domain.com
Then I perform and SEARCH with LDAP_SCOPE_SUBTREE on ou=users,dc=domain,dc=com with this query filter: (mail=test#domain.com) The requested attribute would be mail
The answer would be:
test#domain.com
test2#domain.com
But I only want test2#domain.com as result.
Is there a possility to do this with either the query filter or the OpenLDAP ACL?
I already tried the query filter: (&(mail=test#domain.com)(!(mail=test2#domain.com))), but this returns an empty value
And my thought on doing this with ACL was to use something like attrs=mail val=*searchquery* as "What to control access to"-part, but the documentation on this is not very detailed.
Any idea or better any solution for this problem? (and no, changing this to two different attributes is not really an option)
I am setting up gitlab to have LDAP access.
I would like to give access to 2 seperate OU's OU=Users,OU=Dept1,OU=land,DC=my,DC=com and OU=Users,OU=Dept2,OU=land,DC=my,DC=com (basically the users of 2 departments.
I believe that I would have to set the base to OU=land,DC=my,DC=com and then use a user_filer (Format: RFC 4515)
Probably something of the sort
(|(ou=Dept1)(ou=Dept2))
How do I extend this to specify only for the USERS within those ou's? Thanks
Note:
When I use the Filter: (objectClass=user)I am given access
however if i change it to any of the following I am refused access
(&(objectClass=user)(ou=Users))
(&(objectClass=user)(ou=Dept1))
(&(objectClass=user)(ou=Users,ou=Dept1,ou=land))
(&(objectClass=user)(ou=Users,ou=Dept1,ou=land,dc=my,dc=com))
You should add an objectClass constraint to the filter to limit it only to users , say (&(objectClass=Person))
I have a problem adding user in a group using dirsrv, CentOS6.2.
Default schema, have user jmarsden in "People" and created a group into "Groups".
Tried to use any types of the group: groupOfNames, groupOfUniqueNames, posixgroup. Member (uniqueMember or memberUid) is successfully added as attribute.
member=uid=jmarsden,ou=People,dc=mymy,dc=localdomain
But when I fetch operational attributes using Apache Directory Studio there is not memberOf attribute for user jmarsden. Search with filter "memberOf=cn=M"* does not work either.
What am I doing wrong?
memberOf is an attribute that is most often associated with Active Directory.
Many LDAP implementation do not use an attribute on the user to represent which group the users are a member of.
Which LDAP implementation are your using?
My DIT:
dc=mucompany,dc=com
ou=moodlegroups
ou=moodleusers
ou=Students
mail=student1#mail.com
courseCertificate=Type1
courseCertificate=Type2
courseCertificate=Type3
mail=student2#mail.com
courseCertificate=Type1
courseCertificate=Type2
courseCertificate=Type3
the mail=student1#gmail.com entry has the mail as RDN and a bunch of other attributes(cn,sn...also custom attributes) and has like childrens the CourseCertificate=value entres also containing bunch of other attributes(courseCertificateRunning=TRUE,courseCertificateEnding=20120210,...)
I need to make a query that searchs for (&(sn=Brad)(courseRunning=TRUE)) that returns all the attributes of the parent entry and of the child entry that satisfy the filter...
Is this possible with one ldapsearch?
Any help it will means a lot to me, thanks in advance.
P.S. I'm using openldap 2.4, i try to do the queres using AD Studio
LDAP search filters are evaluated against each individual entry, to decide if it must be returned or not. They are not evaluated against a hierarchy of entries.