[Freeipa-users] Filters in bind-dyndb-ldap
Petr Spacek
pspacek at redhat.com
Thu Sep 4 13:22:15 UTC 2014
On 4.9.2014 14:28, Martin Kosek wrote:
> Actually, FreeIPA&bind-dynd-ldap use idnszoneactive attribute (TRUE/FALSE) to
> define which zones are active and which are not.
Martin is right, I will add couple more details about this:
idnszoneactive attribute should work in bind-dyndb-ldap < 4.0.
Versions >= 4.0 do not support it yet. This defficiency is tracked in
https://fedorahosted.org/bind-dyndb-ldap/ticket/127
You have couple options as a workaround:
1) Use older version of bind-dyndb-ldap :-)
2) Use LDAP transformation on server side so the server doesn't return objects
from sub-tree with idnszoneactive attribute = FALSE.
3) Try some ACI magic on server side so it will not return objects from given
sub-tree if idnszoneactive = FALSE. (This seems to be easiest option to me.)
Have a nice day!
Petr^2 Spacek
> On 09/04/2014 02:23 PM, Chris Whittle wrote:
>> Look at nsaccountlock if it's TRUE then they are disabled.
>>
>>
>>
>> On Thu, Sep 4, 2014 at 7:20 AM, Sebastian Leitz <sebastian.leitz at etes.de>
>> wrote:
>>
>>> Hello,
>>>
>>> I am trying to use bind-dyndb-ldap to connect my BIND to an LDAP server
>>> for zones. I have a tiny question regarding this and both the project
>>> website and the kind people on #freeipa IRC directed me to this list. I
>>> hope someone is here who can answer my question. Sorry for intruding if I'm
>>> not asking in the correct place.
>>>
>>> For technical reasons we need to be able to filter zones in LDAP according
>>> to some flags, e.g. 'enabled'.
>>> Other services usually provide a config option to include LDAP search
>>> filters in every query, like
>>>
>>> ldap_search_filter = (enabled=1)
>>>
>>> Unfortunately, I can't find anything like this in the README file of
>>> bind-dyndb-ldap. Does anybody know of a way to pass a search filter to LDAP?
>>>
>>> Thanks in advance,
>>>
>>> Sebastian
More information about the Freeipa-users
mailing list