I'm using Sun Directory server v5.2.
I have three attributes: designation, role.
I am using a tool using which when i create a create/modify user entry with designation filled, a unique member is added to a group 'Members'.
Now, there are circumstances where
Scenario1:
* Creating/ Modifying user entry is not done via the tool and so unique member for this user entry is not added to the group 'Members'.
Scenario2:
* When user the designation attribute is deleted, group entry is not deleted.
This is causing inconsistency in the users and the group.
How can i resolve this?
Thanks,
Sash.
Related
I am trying to adapt the following query to find out if a user is a member of a specific group (security group) but I do not get it to work and I fail to understand it completely.
(&(objectClass=user)(sAMAccountName=yourUserName)
(memberof=CN=YourGroup,OU=Users,DC=YourDomain,DC=com))
in my case, the user is XYZ and the security group is called [SecITGroup].
The user is however located under OU=USERS OU=GO OU=AzureSync.
I have tried the following:
(&(objectClass=user)(sAMAccountName=XYZ)
(memberof=CN=SecITGroup,OU=AzureSync,OU=GO,OU=USR,DC=de,DC=domain,DC=int))
yes, I set the domain name to the actual domain and No result is shown is displayed.
What is the return attribute am I supposed to get back?
I found a solution or a workaround to this.
The LDAP Query is rather to say show me users in the specific group:
(&(objectCategory=user)(memberOf=CN=Administrators,OU=Admin,OU=Groups,DC=domain,DC=com))
The attribute is sAMAccountname which displays the user's name.
New to LDAP. The way our LDAP is arranged is People and groups. The people have user information such as name, uid, and mail. The groups have group name and multiple member field which has value like cn=First Last,cn=people,dc=comic,dc=com, listing the People that are members of the group.
Currently starting with userid and password, doing two searches:
1) Get user by searching on People base domain on uid=value. Then from the user get the first and last name.
2) Search on Groups base domain based on member=cn=First Last,cn=People,dc=comic,dc=com and iterate over the list of group objects returned to the group name field.
Am just wondering is there way to do all this in one search or are two searches necessary?
Unfortunately you cannot do what would like in one operation.
Also, what you are doing will not always work. Instead of retrieving the users first and last name you should retrieve their distinguished name (dn attribute) and do your group search based on that. First and last names can be modified within LDAP and can happen due to marriage / divorce / etc.
It is possible, provided that you implement a Reverse Group Membership Maintenance Overlay.
To determine which groups an entry is a member of without performing extra searches, the memberOf overlay is exactly what you need.
The memberof overlay updates an attribute (by default memberOf)
whenever changes occur to the membership attribute (by default member)
of entries of the objectclass (by default groupOfNames) configured to
trigger updates. Thus, it provides maintenance of the list of groups
an entry is a member of, when usual maintenance of groups is done by
modifying the members on the group entry.
You may find this Server Fault post useful for a how to.
Once you have memberOf attribute ready to be used, you may have to run ldapmodify manually on each group entries, but just once, so that all members entries can be provisioned with the corresponding group dn in their respective memberOf attribute.
Finally, to perform a group membership search for a given user, you would just search for the user entry and iterate the memberOf attribute to get group dn's.
I'm trying to modify the access control list of Leave Requests to approve under Leave managements module.
I need to make the Leave Requests to approve menu only accessed by each employee's manager.
ea. if the company has 10 employees under Sales/marketing and 5 employees under IT department. I need the sales manager access his 10 employees' leave requests only and not able to access the rest of company's employees who are not under his authority.
To do it, I modified the record rule domain definition of Leaves officer from [(1,'=',1)] to [('employee_id.parent_id,'=',user.id)]
but it didn't work. How to fix it?
In Your case basically your are totally pass the wrong domain for the record rules.
You are previously using the domain like
[(1,'=',1)] = > Access the all the model record for that model
[('employee_id.parent_id,'=',user.id)] = > Access the Manager parent_id as current user employee only
But in your are accessing only with the manager user only not to access its related user.
so you must have to add the below domain in your record rules:
['|',('employee_id.user_id','=',user.id),('employee_id.parent_id.user_id','=',user.id)]
Basically the manager its self as employee of the company and employee having to attached with its related user.
first Need to understand the following relation :
1. employee_id :
which is indicate the each leave related with one employee.
2. parent_id :
which is indicate the each employee related with one manager for hr.holidays model w[('employee_id.parent_id,'=',user.id)]particular model.hich is called the leave request
3. user_id :
If you want to access the login to the particular employee then and then you must have to set the related user for each employee form.which is labeled as Related User.
4. user :
Which is indicate the global user name means current user which you are currently logged in.
5.id :
means unique id for each record
In your case how the domain will work ?
first it will check the current logged in user as attached current leave employee related user or not.
and then then find the user ids which are having with the same employee attached with the same managers.
It means it will perform the OR operation of SQL Statement for both of the domain.
I hope my answer may helpful for you :)
I am new to LDAP (AD) and I wonder how can I retrieve all users of a group if the users itself doesn't have the "memberof" attribute (which should link to the group I think)?
Following LDAP Structure
- Users
- UserA (memberof=Group1)
- UserB (memberof=Group1,memberof=Group2)
- UserN ...
- Groups
- Group1 (member=UserA,member=UserB)
- Group2 (member=UserB)
- GroupX ...
- AppGroups
- App1 (member=UserA,member=UserB)
- AppX ...
So how can I query only the users which are members of App1 group from AppGroups if the users don't have the attributes memberof for this group?
I am trying to achive this with Alfresco. Querying the groups is no problem but I can't find a way to also sync the users (and only the users of the group App1)?
Thank you in advance!
You can either form a query that asks the server to retrieve all users whose memberof attribute contains your group's distinguished name, or, you can turn the logic around and ask the server to give you the member attribute of the group. The member attribute on a group contains all members' distinguished names. You can then obtain additional information about the users by reading the objects one-by-one.
Performance-wise, this is much slower, but if there is no memberof attribute on the users themselves, this might be the only option for you.
The 'memberOf' attribute is supported by the memberOf overlay, if:
you have configured it
you have modified the memberships of this DN since you installed the overlay. It isn't retrospective.
Is there any LDAP command to delete all users attached to a specific group. Assume there are user1,user2,user3 assigned to group G1 . I want to delete all the users attached to group G1
Users are not attached to a group, entries are members of a group. To delete all entries that are members
of a group, execute a search that will return all of distinguished names that are members of the group:
make the base object of the search the distinguished name of the group
use (&) or (objectClass=*) for the filter. Some directory servers, for example Sun DSEE in certain
versions fail to properly parse the filter (&)
use base for the search scope
request the attribute type whose values are the distinguished names of the members of the groups. This varies,
but could be something like uniqueMember
Then, transmit a delete request for each distinguished name returned from the above search.
Some servers support referential integrity, if so, the members of the group will be deleted
at the same time as the entries are deleted.
See also
LDAP: Programming Practices
LDAP: Search best practices