[Freeipa-users] ldap-filter, LDAP_MATCHING_RULE_IN_CHAIN, apache 2.2
Stephen Gallagher
sgallagh at redhat.com
Fri Mar 22 12:18:38 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/21/2013 09:04 AM, Jan-Frode Myklebust wrote:
> Serverdefault has a hack for supporting nested groups on
> RHEL5/apache-2.2 involving a ldap filter using
> LDAP_MATCHING_RULE_IN_CHAIN on Active Directory, ref:
>
> http://serverfault.com/a/424706
>
> Does anybody know if a similar filter can be created for an with
> IPA/389ds backend ?
>
Just as an FYI (slightly off-topic), we discovered in SSSD that the
problem with this approach on Active Directory is that the matching
rule searches are not indexed, so on large AD deployments it can take
seconds (sometimes tens of seconds) to return the results.
FreeIPA's solution is much simpler and more elegant. When group
memberships are stored in the server, we create backlinks at
save-time. All users contain an attribute 'memberOf' that
automatically handles nestings. So if GroupB is a member of GroupA and
UserC is a member of GroupB, then UserC will have:
memberOf: cn=GroupB,...
memberOf: cn=GroupA,...
So you can always get the complete list of groups a user belongs to with:
ldapsearch <connection_args> -H ldap://ipaserver.example.com \
-b <user_dn> -s base "(objectClass=*)" memberOf
Or the complete set of users in a group with:
ldapsearch <connection_args> -H ldap://ipaserver.example.com \
-b <user_search_base> \
"(&(objectClass=posixUser)(memberOf=cn=groupname,...))"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlFMTB4ACgkQeiVVYja6o6PFcgCgmVVlXHup70Ecnm8OcY4VIhYr
yJUAnRlyDeJ3HA+WveLT0WrQw/I0IqZZ
=H/Yx
-----END PGP SIGNATURE-----
More information about the Freeipa-users
mailing list