LDAP group search filter setup

Tammy_Bachman · May 5, 2006, 8:54pm

I was wondering if some one could show me an example of the correct way to setup a group search filter for LDAP that would use the members of one particular group as the users for the wildfire server

Thank You

Tammy

Cameron_Moore · May 5, 2006, 9:51pm

Here’'s what I do using Active Directory:

cn member description <![CDATA[

      (&
           (objectClass=group)
           (memberOf=CN=JabberAccess,OU=Groups,DC=example,DC=com)
           (member=)

)]]>[/code]

In english:

Only users of the JabberAccess security group can login to Wildfire
Only groups that are a member of the JabberAccess security group are populated as shared groups in Wildfie

In practice:

To add a new department to Jabber, I add all of the users to the JabberAccess group and then also add their department’‘s security group to the JabberAccess group. That way I can manage everything from AD. The only catch is that you have to login to the Wildfire admin console to enable sharing for the new group. I’'ve submitted a feature request to allow autosharing of LDAP groups. To help support the request, go vote for JM-193.

sjobeck · May 10, 2006, 6:13am

hrothgar,

Thanks very much. Excellent stuff. Implementing now.

The original poster might want to mark this question as “answered”.

Peace. Love. Linux.

xmpp:jason@sjobeck.com

Jason_Bigler · May 10, 2006, 6:50pm

hrothgar;

Excellent stuff… thanks

This will eliminate a lot of erroneous accounts in Wildfire.

thanks again

loonybin88

jeff_garner · May 11, 2006, 8:45pm

Tammy,

if you need one for eDirectory instead of AD, let me know I have one for LDAP eDir.

Jeff

Jeff_McAdams · May 11, 2006, 9:06pm

I’‘m using eDir, so if you can post what you’‘ve got, I’'d appreciate being able to compare notes.

Thanks!

–

Jeff

jeff_garner · May 11, 2006, 9:12pm

this is to allow users that have the attribute to log in. with a minor change to the class it should allow you to do the shared groups.

Jeff

grundy · May 24, 2006, 5:18pm

Any idea why when I add the recommendation above , I can’'t login to the admin anymore? My AdminDN and everything is still there. I just copied the part from the top over my USERNAMEFIELD and changed to our domain?

The administrator account is in the JabberAccess group too.

jeff_garner · May 24, 2006, 5:48pm

Yes, it specifically looks at the LDAP for users. admin is local and will not be able to log in.

Sorry, to be more specific. THis is a limiting search. if admin is not in the group specified then it will not log in. That was the idea when The other admin and I came up with it. we have one group in eDir with one attribute that allows them to login . this filter only allows those users access.

Jeff

Message was edited by: jeff_garner

wawa · November 1, 2006, 10:14am

Hello.

Do you know how the do the same with OpenLDAP ??

Thanks for all theses very usefull informations.