memberOf values from inherited groups and roles / filtering

 

I'm very new to LDAP and trying to setup inherited model for user logins with access level specific to department, etc.

Example schema would look like this: 

    DN: dc=domain,dc=com

      /cn=people           (groupOfNames)
        /joe               (inetOrgPerson)
        /alex              (inetOrgPerson)
        /nick              (inetOrgPerson)
        /boss              (inetOrgPerson)
        /qaJane            (inetOrgPerson)
        /analystBob        (inetOrgPerson)

      /ou=groups           (organizationalUnit)
        /developers        (groupOfNames)
          member: uid=joe,cn=people,dc=domain,dc=com
          member: uid=nick,cn=people,dc=domain,dc=com

        /testers           (groupOfNames)
          member: uid=qaJane,cn=people,dc=domain,dc=com

        /projectManagers   (groupOfNames)
          member: uid=alex,cn=people,dc=domain,dc=com

        /analysts          (groupOfNames)
          member: uid=boss,cn=people,dc=domain,dc=com
          member: uid=analystBob,cn=people,dc=domain,dc=com

      /ou=applications     (organizationalUnit)
        /gitlab            (groupOfNames)
          member: cn=developers,ou=groups,dc=domain,dc=com
          member: cn=projectManagers,ou=groups,dc=domain,dc=com

        /redmine           (groupOfNames)
          member: cn=testers,ou=groups,dc=domain,dc=com
          member: cn=developers,ou=groups,dc=domain,dc=com
          member: cn=projectManagers,ou=groups,dc=domain,dc=com

        /nfs               (groupOfNames)
          member: cn=analysts,ou=groups,dc=domain,dc=com
          member: cn=projectManagers,ou=groups,dc=domain,dc=com

in short, it could be described like this:

  • Many users
  • Few groups (developer, manager, analyst, boss, etc.)
  • Some groups include other groupes (ie: projectManagers are included in developers)
  • Few applications.
  • Applications include groups and / or users

    • What is a proper way to make a user search for login and consider user inheritance between all groups?

    Ie. if I want to log in user into gitlab - filter like this, would work only for direct inclusion (if user is included directly into the object that I filter against, but it won't work for group inclusion): (&(objectClass=inetOrgPerson)(memberOf=cn=redmine,ou=applications,dc=domain,dc=com))

    You will need to perform a search similar to": 

    (&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:cn=redmine,ou=applications,dc=domain,dc=com)

    From Active Directory Group Related Searches

    链接地址: http://www.djcxy.com/p/60890.html

    上一篇: “域计算机”组中的用户和计算机的LDAP查询

    下一篇: memberOf来自继承组和角色/过滤的值