[Date Prev][Date Next]
do extensible (RFC 2254) ldapfilters work with OpenLdap
I use a module mod_auth_ldap with apache.
There are 3 ways (as I see it) I can use mod_auth_ldap to authenticate
groups of users on my server. As
stated on mod_auth_ldaps homepage.
#require roomnumber "123 Center Building" In other words, restrict by
attribute+value ( could give the members the correct value of a specified
#require filter "(&(telephonenumber=1234)(roomnumber=123))" in other
words, restict via a filter
#require group cn=rcs,ou=Groups in other words restrict via a
groupOfUniqueMembers objectlass entry ( could create a groupOfUniqueMembers
entry and add dns everytime a new user is created.
I want to use the filter because then I can restrict access to a web
directory based on the entry's DN and
will not have to add new "uniquemember" attributes a groupOfUniqueMembers
My people entries either belong to a familiy ou or a friend ou as follows:
dn: uid=john_doe, ou=family, dc=mydomain,dc=com
dn: uid=john_smith, ou=friends, dc=mydomain,dc=com
I want to restrict using "filter" because, from what I can understand,
extensible search filters should support
using part of the dn in a search
MY problem? cant get OpenLdap to understand my attempts at filters
utilizing the DN of an entry.
RFC 2254 says . . .
extensible = attr [":dn"] [":" matchingrule] ":=" value / [":dn"] ":"
matchingrule ":=" value
with the following example
o:dn:=Ace Industry) and following explanation
The third example denotes an equality match, except that DN components
should be considered part of the entry when doing the match.
I have tries several things, all of which seem to cause ldapsearch to say
"could not connect to ldapserver".
for example my filters have looked like this...
I have found one other post regarding this on this forum, which received no
replys. I would appreciate it if anyone can either:
1. Help me to get extensible filters to work (or help me understand what it
is I have misunderstood)
2. Recommend a better solution.
I might just be trying to make things to easy on myself. I don't
particulary care to, everytime I ldapadd some new person, to also
have to add them to a groupOfUniqueMembers.