|
|
Sponsored Content
Special Forums
UNIX and Linux Applications
LDAP Group query
Post 302949319 by jhamaks on Thursday 9th of July 2015 09:00:21 AM
07-09-2015
|
|
10 More Discussions You Might Find Interesting
1. Shell Programming and Scripting
Hi
I'm not a programmer but am muddling through as best I can. I am trying to set up a PostSearchHook for Radiator (RADIUS server), that carries out an LDAP lookup, and, based on the
string returned ("staff" or "student") in the "businessCategory" attribute, will set the $role to be either 40... (3 Replies)
Discussion started by: mikie
3 Replies
2. UNIX for Dummies Questions & Answers
I would like to do an ldap search which looks for entries which do not actually have a certain attribute. Not that the attribute is Null, but where the attribute does not exist.
Is this possible using ldapsearch? (3 Replies)
Discussion started by: dopple
3 Replies
3. Red Hat
I can't seem to make sense of this.
$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.2 Beta (Tikanga)
$
$ mount
/dev/sda2 on / type ext3 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
/dev/sda1 on... (6 Replies)
Discussion started by: dfinn
6 Replies
4. Emergency UNIX and Linux Support
Hi all
We have squid-2.5.STABLE11-3.FC4 running in our environment.
LDAP authentication works fine. Active Directory 2003 Users are prompted to enter credentials every time they access the net. The system works perfectly, but I need to configure Squid to block users in a specific AD group.... (1 Reply)
Discussion started by: wbdevilliers
1 Replies
5. Shell Programming and Scripting
Hi All,
I have a existing Ldap query which take a HOME as variable and gives the result where i grep for a particular line.
ldapsearch -h server_domain_name -p 389 -D "uid=user,ou=appadm,o=ent" -w PaB -b "ou=roles,o=ent" "cidx=$HOME" | grep -w "ent: xyz"
Now i have 330K Homes in a... (1 Reply)
Discussion started by: posner
1 Replies
6. Solaris
I have a test environment which is running RedHat 6.5 Identity management. On the lab network are two Solaris 10 (U11) machines. I can successfully log into the S10 machines using the ldap username/passwords. However, I have a problem with groups and although I found through an internet search one... (3 Replies)
Discussion started by: cjhilinski
3 Replies
7. Emergency UNIX and Linux Support
Hi Friends,
I have below scenarios .
dom1.test.com - LDAP
dom2.test.com - AD
Requirement is establish a trust relation between LDAP and AD server in such a way that if any user login on LDAP managed authentication server with
dom1\username -> get authenticated by LDAP host
... (2 Replies)
Discussion started by: Shirishlnx
2 Replies
8. Web Development
trying to implement authz to a webpage using require ldap-group. It works, except I need to do apachectl restart before the server will observe an add or a delete to the group.
Seems like apache is acquiring the group membership at startup & caching it.
It's a static group.
I have apache... (0 Replies)
Discussion started by: maraixadm
0 Replies
9. UNIX for Advanced & Expert Users
Has anyone attempted to define GPO / HBAC policies in Windows Server 2012 that could be respected by Kerberos/LDAP on AIX?
I'm looking to associate servers to groups so that when a user part of a group tries to login to a host not associated with that group, it would be denied. This would allow... (3 Replies)
Discussion started by: Devyn
3 Replies
10. UNIX for Advanced & Expert Users
I have an in interesting dilemna that I am trying to address. I have some ldap queries that I use to retrieve user information to perform access validations on a quarterly/annual basis. I can successfully pull the local users, and I can use ldapsearch to pull back all the users from the DN as well.... (7 Replies)
Discussion started by: dagamier
7 Replies
LEARN ABOUT CENTOS
slapo-dynlist
SLAPO-DYNLIST(5) File Formats Manual SLAPO-DYNLIST(5) NAME
slapo-dynlist - Dynamic List overlay to slapd SYNOPSIS
/etc/openldap/slapd.conf DESCRIPTION
The dynlist overlay to slapd(8) allows expansion of dynamic groups and more. Any time an entry with a specific objectClass (defined in the overlay configuration) is being returned, the LDAP URI-valued occurrences of a specific attribute (also defined in the overlay configura- tion) are expanded into the corresponding entries, and the values of the attributes listed in the URI are added to the original entry. No recursion is allowed, to avoid potential infinite loops. Since the resulting entry is dynamically constructed, it does not exist until it is constructed while being returned. As a consequence, dynamically added attributes do not participate in the filter matching phase of the search request handling. In other words, filtering for dynamically added attributes always fails. The resulting entry must comply with the LDAP data model, so constraints are enforced. For example, if a SINGLE-VALUE attribute is listed, only the first value found during the list expansion appears in the final entry. The above described behavior is disabled when the man- ageDSAit control (RFC 3296) is used. In that case, the contents of the dynamic group entry is returned; namely, the URLs are returned instead of being expanded. CONFIGURATION
The config directives that are specific to the dynlist overlay must be prefixed by dynlist-, to avoid potential conflicts with directives specific to the underlying database or to other stacked overlays. overlay dynlist This directive adds the dynlist overlay to the current database, or to the frontend, if used before any database instantiation; see slapd.conf(5) for details. This slapd.conf configuration option is defined for the dynlist overlay. It may have multiple occurrences, and it must appear after the overlay directive. dynlist-attrset <group-oc> [<URI>] <URL-ad> [[<mapped-ad>:]<member-ad> ...] The value group-oc is the name of the objectClass that triggers the dynamic expansion of the data. The optional URI restricts expansion only to entries matching the DN, the scope and the filter portions of the URI. The value URL-ad is the name of the attributeDescription that contains the URI that is expanded by the overlay; if none is present, no expansion occurs. If the intersection of the attributes requested by the search operation (or the asserted attribute for com- pares) and the attributes listed in the URI is empty, no expansion occurs for that specific URI. It must be a subtype of labele- dURI. The value member-ad is optional; if present, the overlay behaves as a dynamic group: this attribute will list the DN of the entries resulting from the internal search. In this case, the attrs portion of the URIs in the URL-ad attribute must be absent, and the DNs of all the entries resulting from the expansion of the URIs are listed as values of this attribute. Compares that assert the value of the member-ad attribute of entries with group-oc objectClass apply as if the DN of the entries resulting from the expansion of the URI were present in the group-oc entry as values of the member-ad attribute. Alternatively, mapped-ad can be used to remap attributes obtained through expansion. member-ad attributes are not filled by expanded DN, but are remapped as mapped-ad attributes. Multiple mapping statements can be used. The dynlist overlay may be used with any backend, but it is mainly intended for use with local storage backends. In case the URI expansion is very resource-intensive and occurs frequently with well-defined patterns, one should consider adding a proxycache later on in the over- lay stack. AUTHORIZATION
By default the expansions are performed using the identity of the current LDAP user. This identity may be overridden by setting the dgI- dentity attribute in the group's entry to the DN of another LDAP user. In that case the dgIdentity will be used when expanding the URIs in the object. Setting the dgIdentity to a zero-length string will cause the expansions to be performed anonymously. Note that the dgIden- tity attribute is defined in the dyngroup schema, and this schema must be loaded before the dgIdentity authorization feature may be used. If the dgAuthz attribute is also present in the group's entry, its values are used to determine what identities are authorized to use the dgIdentity to expand the group. Values of the dgAuthz attribute must conform to the (experimental) OpenLDAP authz syntax. EXAMPLE
This example collects all the email addresses of a database into a single entry; first of all, make sure that slapd.conf contains the directives: include /path/to/dyngroup.schema # ... database <database> # ... overlay dynlist dynlist-attrset groupOfURLs memberURL and that slapd loads dynlist.la, if compiled as a run-time module; then add to the database an entry like dn: cn=Dynamic List,ou=Groups,dc=example,dc=com objectClass: groupOfURLs cn: Dynamic List memberURL: ldap:///ou=People,dc=example,dc=com?mail?sub?(objectClass=person) If no <attrs> are provided in the URI, all (non-operational) attributes are collected. This example implements the dynamic group feature on the member attribute: include /path/to/dyngroup.schema # ... database <database> # ... overlay dynlist dynlist-attrset groupOfURLs memberURL member A dynamic group with dgIdentity authorization could be created with an entry like dn: cn=Dynamic Group,ou=Groups,dc=example,dc=com objectClass: groupOfURLs objectClass: dgIdentityAux cn: Dynamic Group memberURL: ldap:///ou=People,dc=example,dc=com??sub?(objectClass=person) dgIdentity: cn=Group Proxy,ou=Services,dc=example,dc=com FILES
/etc/openldap/slapd.conf default slapd configuration file SEE ALSO
slapd.conf(5), slapd-config(5), slapd(8). The slapo-dynlist(5) overlay supports dynamic configuration via back-config. ACKNOWLEDGEMENTS
This module was written in 2004 by Pierangelo Masarati for SysNet s.n.c. Attribute remapping was contributed in 2008 by Emmanuel Dreyfus. OpenLDAP 2.4.39 2014/01/26 SLAPO-DYNLIST(5)