This is what the memberOf overlay is used for. However it doesn't work with posixGroup out of the gate, In order to use memberOf and posixGroup you need to use the draft bis schema. memberOf allows your user record to report group membership. Without it you must query the group directly for memberUid's. The bis draft schema should be available here: /usr/share/dirsrv/data/10rfc2307bis.ldif replace your 10rfc2307.ldif in /etc/dirsrv/schema/ and /etc/dirsrv/slapd-instance/schema Your groups should have objectclass groupOfNames and then you can add users to groups using member: uid=$uid,ou=People,dc=example,dc=com instead of memberuid: $uid. Then, when you query a user it will show its group membership with memberof attributes. https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Advanced_Entry_Management.html ________________________________________ From: saul.cisneros@xxxxxxxxx <saul.cisneros@xxxxxxxxx> Sent: Tuesday, May 2, 2017 9:11 AM To: 389-users@xxxxxxxxxxxxxxxxxxxxxxx Subject: [389-users] Search Filter by Group Hi all, I'm new to this list and 389 Directory, I have what I think is a simple question but I've spent a couple of days looking for this answer without success. It could be I'm asking the wrong question. I have a 389 installation which an application will use to authenticate a pool of users. I was able to successfully configure the LDAP admin user to connect and pull the list of users (ou=mygroup, dc=domain) but the problem comes up when I want to narrow the list of possible users. Meaning, only allowing members of a certain group to be queried and authenticated against. I'm generally new to directory services, though I have some experience with managing users through MS AD. The ou=group which contains the memberUid's is directly above the group and users which I'm able to successfully pull. For example, the location I need to filter users from is cn=myusergroup,ou=groups. The cn=myusergroup entry has a drop down field called memberUid which contains the members of the group. Getting the list of these users to work in a search filter is the problem I'm having. The individual entries for each user are sparsely populated with fields and don't contain samaccountname but use UID instead. As I understand this is not a problem. Also, in each user entry there are no references to the group which they are a part of. I'm using Ldapsearch to test the search filters and Apache Directory Studio to browse the directory. In my last experience in MS AD, I believe I just added the group attributes in each user entry as needed. Though, I'm new to 389 and want to do best practices as opposed to workarounds. Any advice you could give is very much appreciated and or recommended references. The documentation I've found so far doesn't seem to connect. -Saul _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx CONFIDENTIALITY NOTICE: This message is the property of International Game Technology PLC and/or its subsidiaries and may contain proprietary, confidential or trade secret information. This message is intended solely for the use of the addressee. If you are not the intended recipient and have received this message in error, please delete this message from your system. Any unauthorized reading, distribution, copying, or other use of this message or its attachments is strictly prohibited. _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
