[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: memberOf as misuse of data model



Hello Howard,

> There are two common operations on a group: list all the members, and see if
> user X is a member of a group. For the first case, just retrieve the group
> entry and look at its member attribute. For the second case, just do a
> Compare on the group and test the member attribute against the user's DN.

Ok, but :

Let say that I want to grant access to an application only for users of a
specific group : what would be the filter to use ?

Anonther way to ask that is : what is the trick to retrieve posixAccount (or
inetOrgPerson) objects that are member of a specific posixgroup (or
groupofnames) ?

Aka : if posixgroup gogo is like this

# gogo, group, toto.fr
dn: cn=gogo,ou=group,dc=toto,dc=fr
objectClass: posixGroup
gidNumber: 17000
cn: gogo
memberUid: gui
memberUid: lev

What is the filter to retreive exactly this :

# gui, staff, people, toto.fr
dn: uid=gui,ou=staff,ou=people,dc=gui,dc=fr
cn: gui lou
givenName: Gui
homeDirectory: /home/gui
loginShell: /bin/tcsh
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
sn: Gui
uid: gui
uidNumber: 1041
userPassword:: e1AZE4N1k=
gidNumber: 18004

# lev, staff, people, toto.fr
dn: uid=lev,ou=staff,ou=people,dc=toto,dc=fr
cn:Lev Luv
givenName: Lev
homeDirectory: /home/lev
loginShell: /bin/bash
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
sn: Lev
uid: lev
uidNumber: 1041
userPassword:: eFjQVNCZEZzN1k=
gidNumber: 18004





2012/1/20 Howard Chu <hyc@symas.com>:
> Felipe Augusto van de Wiel wrote:
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA512
>>
>> Hello,
>>
>> On 19-01-2012 15:14, Howard Chu wrote:
>>>
>>> Dunno. IMO most people using memberOf are misusing the data model
>>> anyway, so it's of little interest.
>>
>>
>> Out of curiosity (and because I do try to avoid misusing the data
>> model), why in your opinion memberOf represents a misuse?
>
>
> There are two common operations on a group: list all the members, and see if
> user X is a member of a group. For the first case, just retrieve the group
> entry and look at its member attribute. For the second case, just do a
> Compare on the group and test the member attribute against the user's DN.
>>
>>
>> Kind regards,
>> - --
>> Felipe Augusto van de Wiel<felipe.wiel@hpp.org.br>
>> Tecnologia da Informação (TI) - Complexo Pequeno Príncipe
>> http://www.pequenoprincipe.org.br/    T: +55 41 3310 1747
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.11 (GNU/Linux)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>
>> iQIcBAEBCgAGBQJPGHjGAAoJECCPPxLgxLxPx0kP/A1vueiP4471kk8YrAv72wsQ
>> 6L+++LZTPcNCkxBGbQK/cUnncV0S/h6wkSbHFMiZO1pfx8QWUITgw3L1hPSBxnGA
>> stWvcrIf9MeoigqzQuPgDbQ/TppganSA0cGyGEM0a5H0+GxhqbwLMFa3MGw49DOD
>> FElsd1muDo/uKKgAlGU27zNs9Oysi3ICw5CBIp9bLGcrKX0xpq3hjP4wyS0/hDRu
>> euLFr+F7EYdvOQ16rzB3CQv6UWmDvYg76Km8VuzG+UEnR4DcNiAbNKR6Fm22kv/w
>> O2ifUXdOnVLugiHekRF2VXYzYO3XNxg7wqORObhePRAsnobjE9p/lXEt+c7Pf938
>> WJBcHAa3NUS7JKQIK3TEC/iAfx+3/BHvDYXyoa57YK4MOdbv1GCgZLD8mTKSyATo
>> r/CdxrfoVv8YI6D+Lo4x+0dGjwbXBeIP1ArWT4li23c8TTMi7H6NYPbRCBc0LvaQ
>> 22ifiDfE9TxhonXwMgbG5ONybrWeX9/Os//ofJXqWY2qXP4p3H0ceALDBmAI6LpP
>> NEvaGh1OA2hDEUq+XpFg9TJDN9+WXlZ3tz135H1WUHXyik8xzHZOSSFFWd/LhIcI
>> 3pyo5T+0xjf+3dA4Gn31iGp8CxakTkkJpdeUiZ2mHwHHgTDU72y5p6DudycRq5uK
>> 3cldhqzDAktL1JA1AIHK
>> =gFGM
>> -----END PGP SIGNATURE-----
>>
>>
>
>
> --
>  -- Howard Chu
>  CTO, Symas Corp.           http://www.symas.com
>  Director, Highland Sun     http://highlandsun.com/hyc/
>  Chief Architect, OpenLDAP  http://www.openldap.org/project/
>