-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/21/2013 09:04 AM, Jan-Frode Myklebust wrote: > Serverdefault has a hack for supporting nested groups on > RHEL5/apache-2.2 involving a ldap filter using > LDAP_MATCHING_RULE_IN_CHAIN on Active Directory, ref: > > http://serverfault.com/a/424706 > > Does anybody know if a similar filter can be created for an with > IPA/389ds backend ? >
Just as an FYI (slightly off-topic), we discovered in SSSD that the problem with this approach on Active Directory is that the matching rule searches are not indexed, so on large AD deployments it can take seconds (sometimes tens of seconds) to return the results. FreeIPA's solution is much simpler and more elegant. When group memberships are stored in the server, we create backlinks at save-time. All users contain an attribute 'memberOf' that automatically handles nestings. So if GroupB is a member of GroupA and UserC is a member of GroupB, then UserC will have: memberOf: cn=GroupB,... memberOf: cn=GroupA,... So you can always get the complete list of groups a user belongs to with: ldapsearch <connection_args> -H ldap://ipaserver.example.com \ -b <user_dn> -s base "(objectClass=*)" memberOf Or the complete set of users in a group with: ldapsearch <connection_args> -H ldap://ipaserver.example.com \ -b <user_search_base> \ "(&(objectClass=posixUser)(memberOf=cn=groupname,...))" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlFMTB4ACgkQeiVVYja6o6PFcgCgmVVlXHup70Ecnm8OcY4VIhYr yJUAnRlyDeJ3HA+WveLT0WrQw/I0IqZZ =H/Yx -----END PGP SIGNATURE----- _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
