[prev in list] [next in list] [prev in thread] [next in thread]
List: sssd-users
Subject: =?utf-8?q?=5BSSSD-users=5D?= Re: How to match multiple access filter for a uid
From: Asif Iqbal <vadud3 () gmail ! com>
Date: 2017-11-08 20:46:30
Message-ID: CAOHBbgVeaoq=t2NgCrxrr17hsRKBemByT7CrerRGRUYT3EakQg () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
On Wed, Nov 8, 2017 at 3:39 PM, Sumit Bose <sbose@redhat.com> wrote:
> On Wed, Nov 08, 2017 at 02:39:46PM -0500, Asif Iqbal wrote:
> > On Thu, Nov 2, 2017 at 12:05 PM, Asif Iqbal <vadud3@gmail.com> wrote:
> >
> > > Hi
> > >
> > > I like to authenticate user based on uid if meets the following two
> > > requirements
> > >
> > > ldap_search_base = ou=People,dc=mnet,dc=qintra,dc=com
> > > ldap_access_order = filter
> > > ldap_access_filter = objectClass=mnetPerson
> > >
> > > and
> > >
> > > ldap_search_base = ou=ACL Groups,ou=Groups,dc=mnet,dc=qintra,dc=com
> > > ldap_access_filter = (&(cn=jumpstation)(uniquemember=<dn of uid>))
>
> It looks like you want that the user is a member of a group called
> jumpstation? Does you user object have memberOf (or similar) attributes
> which you can check together with objectClass=mnetPerson ?
>
> bye,
> Sumit
No there is no object like that. That would make it super easy with one
filter using (&(..)(..))
This group definition, as you noticed, is on a different base DN also
So I will need some kind of nested filter with multiple base DNs
--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
[Attachment #5 (text/html)]
<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Nov \
8, 2017 at 3:39 PM, Sumit Bose <span dir="ltr"><<a href="mailto:sbose@redhat.com" \
target="_blank">sbose@redhat.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><span class="">On Wed, Nov 08, 2017 at 02:39:46PM -0500, Asif \
Iqbal wrote:<br> > On Thu, Nov 2, 2017 at 12:05 PM, Asif Iqbal <<a \
href="mailto:vadud3@gmail.com">vadud3@gmail.com</a>> wrote:<br> ><br>
> > Hi<br>
> ><br>
> > I like to authenticate user based on uid if meets the following two<br>
> > requirements<br>
> ><br>
> > ldap_search_base = ou=People,dc=mnet,dc=qintra,<wbr>dc=com<br>
> > ldap_access_order = filter<br>
> > ldap_access_filter = objectClass=mnetPerson<br>
> ><br>
> > and<br>
> ><br>
> > ldap_search_base = ou=ACL \
Groups,ou=Groups,dc=mnet,dc=<wbr>qintra,dc=com<br> > > ldap_access_filter = \
(&(cn=jumpstation)(<wbr>uniquemember=<dn of uid>))<br> <br>
</span>It looks like you want that the user is a member of a group called<br>
jumpstation? Does you user object have memberOf (or similar) attributes<br>
which you can check together with objectClass=mnetPerson ?<br>
<br>
bye,<br>
Sumit </blockquote><div><br></div><div>No there is no object like that. That would \
make it super easy with one filter using \
(&(..)(..))</div><div><br></div><div>This group definition, as you noticed, is on \
a different base DN also<br></div><div><br></div><div>So I will need some kind of \
nested filter with multiple base DNs</div><div><br></div><div><br></div></div><br \
clear="all"><div><br></div>-- <br><div class="gmail_signature" \
data-smartmail="gmail_signature">Asif Iqbal<br>PGP Key: 0xE62693C5 KeyServer: <a \
href="http://pgp.mit.edu" target="_blank">pgp.mit.edu</a><br>A: Because it messes up \
the order in which people normally read text.<br>Q: Why is top-posting such a bad \
thing?<br><br></div> </div></div>
[Attachment #6 (text/plain)]
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic