[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: memberOf as misuse of data model

To: Olivier <ldap@guillard.nom.fr>
Subject: Re: memberOf as misuse of data model
From: Howard Chu <hyc@symas.com>
Date: Thu, 01 Mar 2012 09:47:17 -0800
Cc: Felipe Augusto van de Wiel <felipe.wiel@hpp.org.br>, OpenLDAP Technical <openldap-technical@openldap.org>
In-reply-to: <CA+5QeXQFiCy762Ej5sqRz=Hy5yEt-voz7QtmSy+qwyZiBfE-6w@mail.gmail.com>
References: <4F1453F8.6090000@ofd-z.niedersachsen.de> <4F184B6F.4000401@ofd-z.niedersachsen.de> <4F184F6E.4050801@symas.com> <4F1878C6.6040005@hpp.org.br> <4F18AB29.2020203@symas.com> <CA+5QeXQFiCy762Ej5sqRz=Hy5yEt-voz7QtmSy+qwyZiBfE-6w@mail.gmail.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0a1) Gecko/20111224 Firefox/12.0a1 SeaMonkey/2.9a1

Olivier wrote:

Hello Howard,

There are two common operations on a group: list all the members, and see if
user X is a member of a group. For the first case, just retrieve the group
entry and look at its member attribute. For the second case, just do a
Compare on the group and test the member attribute against the user's DN.


Ok, but :

Let say that I want to grant access to an application only for users of a
specific group : what would be the filter to use ?

There is no filter. You simply set a slapd ACL granting access to the group.Read the slapd.access(5) manpage, or the Admin Guide, or the FAQ.

Anonther way to ask that is : what is the trick to retrieve posixAccount (or
inetOrgPerson) objects that are member of a specific posixgroup (or
groupofnames) ?


I don't see why any application needs to do this.

Aka : if posixgroup gogo is like this

# gogo, group, toto.fr
dn: cn=gogo,ou=group,dc=toto,dc=fr
objectClass: posixGroup
gidNumber: 17000
cn: gogo
memberUid: gui
memberUid: lev

What is the filter to retreive exactly this :

# gui, staff, people, toto.fr
dn: uid=gui,ou=staff,ou=people,dc=gui,dc=fr
cn: gui lou
givenName: Gui
homeDirectory: /home/gui
loginShell: /bin/tcsh
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
sn: Gui
uid: gui
uidNumber: 1041
userPassword:: e1AZE4N1k=
gidNumber: 18004

# lev, staff, people, toto.fr
dn: uid=lev,ou=staff,ou=people,dc=toto,dc=fr
cn:Lev Luv
givenName: Lev
homeDirectory: /home/lev
loginShell: /bin/bash
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
sn: Lev
uid: lev
uidNumber: 1041
userPassword:: eFjQVNCZEZzN1k=
gidNumber: 18004





2012/1/20 Howard Chu<hyc@symas.com>:

Felipe Augusto van de Wiel wrote:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello,

On 19-01-2012 15:14, Howard Chu wrote:


Dunno. IMO most people using memberOf are misusing the data model
anyway, so it's of little interest.



Out of curiosity (and because I do try to avoid misusing the data
model), why in your opinion memberOf represents a misuse?



There are two common operations on a group: list all the members, and see if
user X is a member of a group. For the first case, just retrieve the group
entry and look at its member attribute. For the second case, just do a
Compare on the group and test the member attribute against the user's DN.




--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re: memberOf as misuse of data model
  - From: Frank Bonnet <f.bonnet@esiee.fr>

References:
- Re: memberOf as misuse of data model
  - From: Olivier <ldap@guillard.nom.fr>

Prev by Date: Re: Re: delta-syncrepl and mirrormode problem (2.4.29 and 2.4.30)
Next by Date: Re: delta-syncrepl and mirrormode problem (2.4.29 and 2.4.30)
Index(es):
- Chronological
- Thread