Re: Ldap filter to get group members

Sun, 24 Jun 2012 21:02:14 -0700 

Hi guys...

Thanks for the reply ,

i tried many ldap filters according to the suggestion made by andrew..but i
unable to get it work.. any idea  how write such a filter.

Thank You


On 15 May 2012 03:03, Andrew Findlay <[email protected]>wrote:

> On Mon, May 14, 2012 at 08:06:41PM +0530, dhanushka ranasinghe wrote:
>
> > i have a LDAP server and its has a group called .
> >
> > cn=internal ou=group,dc=example,dc=com
> >
> > --users of this group is :
> >
> > uid=user1,ou=user,dc=example,dc=com
> > uid=user2,ou=user,dc=example,dc=com
>
> > i need to only to authenticate the users under cn=internal ....
>
> I assume you mean "I only want to allow users of this group to access
> some resource"
>
> > This is what we are using
> >
> >
> (&(objectClass=groupOfNames)(memberOf=CN=internal,OU=group,DC=example,DC=com))
> >
> > seems like its not working ..
> >
> > what the LDAP search filter i need to use to get only the members of the
> cn=
> > internal group  authenticated...
>
> I think it would be best to use several LDAP operations rather than
> trying to do everything in one go. For example:
>
> 1)      Search for user:
>                base: ou=user,dc=example,dc=com
>                filter: (&(objectclass=account)(uid=<username>))
>        If the user exists, note the DN of the entry found.
>
> 2)      Authenticate user:
>                Bind as the user DN using the user-supplied password
>        If this fails, deny access.
>
> 3)      Re-bind as a system user (or anon if that has enough access)
>
> 4)      Check authorisation:
>                Search base: CN=internal,OU=group,DC=example,DC=com
>                Search scope: base
>                Filter: (member=<user DN>)
>                Return attributes: cn
>        If this returns an entry then the user is in the authorisation
>        group and should be allowed to use the resource. Otherwise,
>        deny access.
>
> Andrew
> --
> -----------------------------------------------------------------------
> |                 From Andrew Findlay, Skills 1st Ltd                 |
> | Consultant in large-scale systems, networks, and directory services |
> |     http://www.skills-1st.co.uk/                +44 1628 782565     |
> -----------------------------------------------------------------------
>

Reply via email to