[Date Prev][Date Next] [Chronological] [Thread] [Top]

do extensible (RFC 2254) ldapfilters work with OpenLdap


I use a module mod_auth_ldap with apache.

There are 3 ways (as I see it) I can use mod_auth_ldap to authenticate 
groups of users on my server. As
stated on mod_auth_ldaps homepage.
#require roomnumber "123 Center Building" In other words, restrict by 
attribute+value ( could give the members the correct value of a specified 
#require filter "(&(telephonenumber=1234)(roomnumber=123))"  in other 
words, restict via a filter
#require group cn=rcs,ou=Groups  in other words restrict via  a 
groupOfUniqueMembers objectlass entry ( could create a groupOfUniqueMembers 
entry and add dns everytime a new user is created.

I want to use the filter because then I can restrict access to a web 
directory based on the entry's DN and
will not have to add new "uniquemember" attributes a groupOfUniqueMembers 

My people entries either belong to a familiy ou or a friend ou as follows:

 dn: uid=john_doe, ou=family, dc=mydomain,dc=com
 dn: uid=john_smith, ou=friends, dc=mydomain,dc=com

I want to restrict using "filter" because, from what I can understand, 
extensible search filters should support
using part of the dn in a search

MY problem? cant get OpenLdap to understand my attempts at filters 
utilizing the DN of an entry.

RFC 2254 says . . .
extensible = attr [":dn"] [":" matchingrule] ":=" value / [":dn"] ":" 
matchingrule ":=" value
with the following example
o:dn:=Ace Industry) and following explanation
The third example denotes an equality match, except that DN components 
should be considered part of the entry when doing the match.

I have tries several things, all of which seem to cause ldapsearch to say 
"could not connect to ldapserver".
for example my filters have looked like this...


I have found one other post regarding this on this forum, which received no 
replys. I would appreciate it if anyone can either:
1. Help me to get extensible filters to work (or help me understand what it 
is I have misunderstood)
2. Recommend a better solution.

I might just be trying to make things to easy on myself. I don't 
particulary care to, everytime I ldapadd some new person, to also
have to add them to a groupOfUniqueMembers.