[Freeipa-users] Filters in bind-dyndb-ldap
Sebastian Leitz
sebastian.leitz at etes.de
Thu Sep 4 13:37:53 UTC 2014
Thanks, Martin and Petr, for your comments and the workaround. As we're internally still on an old version of bind-dyndb-ldap I can actually use the LDAP attribute to achieve what I desire. Yeah!
As for the future, I opended https://bugzilla.redhat.com/show_bug.cgi?id=1138317, if anybody is interested to upvote :-)
-----Ursprüngliche Nachricht-----
> Von:Petr Spacek <pspacek at redhat.com>
> Gesendet: Don 4 September 2014 15:23
> An: freeipa-users at redhat.com
> Betreff: Re: [Freeipa-users] Filters in bind-dyndb-ldap
>
> On 4.9.2014 14:28, Martin Kosek wrote:
> > Actually, FreeIPA&bind-dynd-ldap use idnszoneactive attribute (TRUE/FALSE) to
> > define which zones are active and which are not.
>
> Martin is right, I will add couple more details about this:
> idnszoneactive attribute should work in bind-dyndb-ldap < 4.0.
>
> Versions >= 4.0 do not support it yet. This defficiency is tracked in
> https://fedorahosted.org/bind-dyndb-ldap/ticket/127
>
> You have couple options as a workaround:
> 1) Use older version of bind-dyndb-ldap :-)
>
> 2) Use LDAP transformation on server side so the server doesn't return objects
> from sub-tree with idnszoneactive attribute = FALSE.
>
> 3) Try some ACI magic on server side so it will not return objects from given
> sub-tree if idnszoneactive = FALSE. (This seems to be easiest option to me.)
>
> Have a nice day!
>
> Petr^2 Spacek
>
> > On 09/04/2014 02:23 PM, Chris Whittle wrote:
> >> Look at nsaccountlock if it's TRUE then they are disabled.
> >>
> >>
> >>
> >> On Thu, Sep 4, 2014 at 7:20 AM, Sebastian Leitz <sebastian.leitz at etes.de>
> >> wrote:
> >>
> >>> Hello,
> >>>
> >>> I am trying to use bind-dyndb-ldap to connect my BIND to an LDAP server
> >>> for zones. I have a tiny question regarding this and both the project
> >>> website and the kind people on #freeipa IRC directed me to this list. I
> >>> hope someone is here who can answer my question. Sorry for intruding if I'm
> >>> not asking in the correct place.
> >>>
> >>> For technical reasons we need to be able to filter zones in LDAP according
> >>> to some flags, e.g. 'enabled'.
> >>> Other services usually provide a config option to include LDAP search
> >>> filters in every query, like
> >>>
> >>> ldap_search_filter = (enabled=1)
> >>>
> >>> Unfortunately, I can't find anything like this in the README file of
> >>> bind-dyndb-ldap. Does anybody know of a way to pass a search filter to LDAP?
> >>>
> >>> Thanks in advance,
> >>>
> >>> Sebastian
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>
--
Sebastian Leitz Mail: sebastian.leitz at etes.de
ETES GmbH Fon : +49 (7 11) 48 90 83 - 14
Gablenberger Hauptstrasse 32 Fax : +49 (7 11) 48 90 83 - 50
D-70186 Stuttgart Web : http://www.etes.de/
Registergericht: Amtsgericht Stuttgart HRB 721182
Geschäftsführender Gesellschafter: Markus Espenhain
Sitz der Gesellschaft: Stuttgart
USt.-Id.Nr.: DE814767446
More information about the Freeipa-users
mailing list