Re: Ldap filter to get group members

[Andrew Findlay <andrew.findlay@skills-1st.co.uk>]

On Mon, May 14, 2012 at 08:06:41PM +0530, dhanushka ranasinghe wrote:

> i have a LDAP server and its has a group called .
> 
> cn=internal ou=group,dc=example,dc=com
> 
> --users of this group is :
> 
> uid=user1,ou=user,dc=example,dc=com
> uid=user2,ou=user,dc=example,dc=com

> i need to only to authenticate the users under cn=internal ....

I assume you mean "I only want to allow users of this group to access
some resource"

> This is what we are using
> 
> (&(objectClass=groupOfNames)(memberOf=CN=internal,OU=group,DC=example,DC=com))
> 
> seems like its not working ..
> 
> what the LDAP search filter i need to use to get only the members of the cn=
> internal group  authenticated...

I think it would be best to use several LDAP operations rather than
trying to do everything in one go. For example:

1)	Search for user:
		base: ou=user,dc=example,dc=com
		filter: (&(objectclass=account)(uid=<username>))
	If the user exists, note the DN of the entry found.

2)	Authenticate user:
		Bind as the user DN using the user-supplied password
	If this fails, deny access.

3)	Re-bind as a system user (or anon if that has enough access)

4)	Check authorisation:
		Search base: CN=internal,OU=group,DC=example,DC=com
		Search scope: base
		Filter: (member=<user DN>)
		Return attributes: cn
	If this returns an entry then the user is in the authorisation
	group and should be allowed to use the resource. Otherwise,
	deny access.

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------