Re: LDAP search rule to find group owners

[Andrew Findlay <andrew.findlay@skills-1st.co.uk>]

On Mon, Jan 16, 2017 at 03:21:41PM +0000, Philip Colmer wrote:

> to dn.sub="ou=groups,dc=example,dc=com" by dnattr="owner" write by set="this/
> owner/member & user" write by users none by * none

> Is there a way of performing an LDAP search that does the equivalent of the ACL
> (or something like it) to tell me which groups can be written to for a given
> DN?

I don't think you will be able to do that in a single LDAP operation on a standard server.
The most efficient way is probably:

	Search for all groups that the user is a member of, returning just the DN

	Search for all groups where any of those DNs are found in the owner attribute

Beware though, that if some users are members of very large numbers of groups then the
search assertion could be very large...

If you have the memberof overlay then you may be able to simplify the process
by having it maintain an 'ownerOf' attribute in the group entries. Then you could get
what you want in a single search:

	Match: (&(objectclass=groupOfNames)(member=<user DN>))
	Return: ownerOf attribute

This may return multiple entries. You just need to gather up all the ownerOf values.
To be really cute you could add the dynlist overlay to do this for you...

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------