My DIT:
dc=mucompany,dc=com
ou=moodlegroups
ou=moodleusers
ou=Students
mail=student1#mail.com
courseCertificate=Type1
courseCertificate=Type2
courseCertificate=Type3
mail=student2#mail.com
courseCertificate=Type1
courseCertificate=Type2
courseCertificate=Type3
the mail=student1#gmail.com entry has the mail as RDN and a bunch of other attributes(cn,sn...also custom attributes) and has like childrens the CourseCertificate=value entres also containing bunch of other attributes(courseCertificateRunning=TRUE,courseCertificateEnding=20120210,...)
I need to make a query that searchs for (&(sn=Brad)(courseRunning=TRUE)) that returns all the attributes of the parent entry and of the child entry that satisfy the filter...
Is this possible with one ldapsearch?
Any help it will means a lot to me, thanks in advance.
P.S. I'm using openldap 2.4, i try to do the queres using AD Studio
LDAP search filters are evaluated against each individual entry, to decide if it must be returned or not. They are not evaluated against a hierarchy of entries.
Related
Hallo I need help to optimize a LDAP Filter string because the Ldap filter is too long (maximum is 255 characters) for my tool (Foreman).
My LDAP curent Ldap filter
(|
(memberOf=cn=admingoup,ou=groups,OU=admin,DC=xxx,DC=de)
(memberOf=CN=group1,OU=dd,OU=cc,OU=ab,DC=xxx,DC=de)
(memberOf=CN=group2,OU=dd,OU=cc,OU=ab,DC=xxx,DC=de)
)
This work but i need a soultion like
(|
(memberOf=cn=admingoup,ou=groups,OU=admin,DC=xxx,DC=de)
(memberOf=CN=*,OU=dd,OU=cc,OU=ab,DC=xxx,DC=de)
)
I don't think you can work your way out without making modifications on your constraints somewhere :
Allow longer filter in foreman
Modify the LDAP directory to allow substring match on the memberOf attribute
Modify your filter. A way to do it could be :
search base dn : DC=xxx,DC=de
search filter : (&(objectclass=group)(|(cn=admingroup)(cn=group1)(cn=group2))) (This is an example, the point is to match only the group you need, maybe using the entry id if necessary)
attribute retrieve member (or the equivalent)
What it will do is to retrieve all the members of these groups, dupplicate members should not be a probleme for access control I presume
I have two classes. One Attribut of class1 is connected to another attribut of class2. This was done with the help of the context menue of the connector in the proximity of one class, it is called Link to element feature. The same is done on the other side of the connector to select the other attribut of the other class. So the connector directly connects two attributes and not the classes itselves. I haven´t found the tables, where this infomation is stored, so I dont find the appropiate SQL to find connected (or not connected) attributes.
Here's the way for notes using Link to..
PDATA1 = 'Attribute'
PDATA2 = t_attribute.ID of the attribute
PDATA3 = name of the attribute
PDATA4 has 'Yes' (I don't recall what that's used for so you can probably ignore it
First SQL:
SELECT PDATA2 FROM t_object WHERE Object_Type='Note' AND PDATA1 = 'Attribute'
will give you the ID. Just put that in another SQL:
SELECT * FROM t_attribute WHERE ID = (above SQL)
and you have the attribute details. Or if you want to find the unmapped one just build a dissection with the found IDs from the first with the existing attribute IDs.
For associations using Link to... it's a bit more tricky. First off, any such connectors have the relevant information stored in t_connector.StyleEx like e.g.
LFEP={69A30E17-23AB-4641-9573-9BDBAA988D52}L;
LF<dir>P=<guid><pos>; connector is attached to attribute/operation
<dir> = S or E meaning Start (source) or End (target) <guid> = ea_guid of t_attribute or t_operation
<pos> is the edge (L or R) where the connector had been attached to in the moment when the link has been created. This is a superfluous information since the renderer will attach the link to whatever place is relevant.
There can be one LFSP, one LFEP or both be present in one StyleEx property
(from my Inside book)
Now you can filter that information with a SQL or (what I prefer) with a little script, since doing complex SQL string operations are not my expertise.
In the screenshot below, my details branch/node contains lots of details named with a random-id. As shown in the example, 8641260c-900... is a detail record and there will be several others like these.
I would like to know whether my .write rule is correct or not? I wanted to enable restriction so that current auth.id exactly match the existing record's user field.
I would also wanted to restrict deletion of the record (via .remove).
Can I simply add && !data.exists() || newData.exists() to the .write rule?
Thanks in advance.
I would like to know whether my .write rule is correct or not?
First of all, giving ".read":true and ".write":true to the root will override all child node rules to true. Therefore any rules specified to child nodes will become redundant.
I wanted to enable restriction so that current auth.id exactly match the existing record's user field.
{"rules":{
"existing_record":{
"user":{
".write":"newData.isString() && auth.uid == newData.val()"
}
}
}}
I would also wanted to restrict deletion of the record (via .remove).
newData.exists() will prevent deletion of a node. newData represents how data will look like after the operation took place. Therefore, by ensuring that newData exists after the operation, deletion of a node is prohibited.
I have an ldap entry cn=My Name,ou=users,dc=domain,dc=com with these attributes among others:
mail: test#domain.com
mail: test2#domain.com
Then I perform and SEARCH with LDAP_SCOPE_SUBTREE on ou=users,dc=domain,dc=com with this query filter: (mail=test#domain.com) The requested attribute would be mail
The answer would be:
test#domain.com
test2#domain.com
But I only want test2#domain.com as result.
Is there a possility to do this with either the query filter or the OpenLDAP ACL?
I already tried the query filter: (&(mail=test#domain.com)(!(mail=test2#domain.com))), but this returns an empty value
And my thought on doing this with ACL was to use something like attrs=mail val=*searchquery* as "What to control access to"-part, but the documentation on this is not very detailed.
Any idea or better any solution for this problem? (and no, changing this to two different attributes is not really an option)
I have a question about the rbac system. I think I've pretty well understood it but I need more informations about a special case.
I would like to do the autorisations on groups instead of users. I mean for instance the group "HR" has permission to create a person. Then any person who join this group would have it as well.
Let me give you more informations.
A part of my database:
And this a part of what my group hierarchy could be:
So what I'm looking for, this would be a must, is a system where each group has some autorizations. People get the autorizations of their group and of their parents group (for instance people in "Forsys" has the autorizations of "Forsys", "R&D" and "Administration").
The solution I see at the moment is using bizrule. But I'm not sure write php code in database is a good idea and then if I update the group hierarchy (R&D inherits of RH instead of Administration) I would have to modify bizrule in database. I tried it and it works well but as you can see it require a lot of code.
$user = User::model()->with("people","people.groups")->findByPk(Yii::app()->user->id);
foreach($user->people[0]->groups as $group)
if($group->id == 2)
return true;
return false;
It's just for see if a user is in a group (without checking parent groups and hierarchy)
Another possibility could be create a new table "group_auth" where we would say for instance:
-Group_2 has role "managePerson"
-Group_3 has operation "deleteUser"
...
And then everytime a user is added in or removed of a group we would update his autorizations in the auth_assigment table.
I'd like to hear other opinions on this subject.
All comments will be appreciated :)
Thank you for reading and sorry for my English if you had difficulties to understand me.
Michaël S.
Do users ever get their own authorization items? If not, seems like you could in essence swap out the userid column in auth_assignment and name it / treat it as groupID instead. That way you wouldn't need to worry about keeping user auth assignments in sync with your group roles.
A couple of places you'd probably need to make some changes:
- by default CWebUser passes in the logged in userid for use in bizrules. Might be good to change that our with your own override that passes in groupId/groupIds instead.
- you'd need to override CDbAuthManager and rework some of how things work there
We've done something similar on a project I've worked on (we were handling multi-tenant RBAC custom permissions), which required custom CDbAuthManager overrides. It gets a bit tricky if you do it, but there is an awful lot of power available to you.
Edit:
Understood about your users sometimes needing to have additional authorizations. What if your group has a 'roles' field with different roles serialized in it (or some other method of having multiple roles stored for that group, could also be a relationship).
Then, on user login (for efficiency), you'd store those roles in session. Probably the easiest way to handle things would be to write a custom checkAccess for your WebUser override:
https://github.com/yiisoft/yii/blob/1.1.13/framework/web/auth/CWebUser.php#L801
as that will make things simpler to do your custom checking. Then I'd probably do something like:
if(Yii::app()->user->hasGroupAccess() || Yii::app()->user->checkAccess('operation/task/role')) {
....
}
In your WebUser hasGroupAccess method, you could loop over all group roles and send those to checkAccess as well.
Think that will work?
What I use to check access for groups when it's in another table, or somewhere else in the application I give the user the role per default. By using this:
return array(
'components'=>array(
'authManager'=>array(
'class'=>'CDbAuthManager',
'defaultRoles'=>array('authenticated', 'R&D', 'Administration'),
),
),
);
Under: Using Default Roles
By using this, every user gets these assignments. Now, I create a business rule to make sure that the checkAccess('group') will return the correct value.
For example in your case the business rule for R&D would be:
return (
count(
Person::model()->findByPk(Yii::app()->user->id)->groups(array('name'=>'R&D'))
) > 0
) ? true : false;
So what this does is:
find the logged-in person by primary key
look into groups (from the user) for the group with name R&D
if there is a group: return true (else return false)