From: Adi K. <Kri...@vr...> - 2006-10-10 06:57:53
|
Hi! find a fix to that problem attached... -- Adi ===== On Thursday 21 September 2006 09:14, Adi Kriegisch wrote: > Hi! > > > you are absolutly right, I will fix that the next days. > > Thanx alot, Ralf! > > -- Adi > > ===== > > > Adi Kriegisch schrieb: > > > Hi! > > > > > > I am having troubles with the ldap search filter for user accounts (in > > > setup - current configuration). > > > The default filter is "(uid=%user)" which leads to display all accounts > > > available in my ldap tree. > > > My ldap tree looks like the following: > > > Users \ > > > + FormerUsers (containing all former users) > > > + SambaMachines (containing all machine accounts) > > > + ... (*) > > > (all active users -- that should be able to use egw as well) > > > > > > (* some restricted user classes - like users for certain web services > > > and so on) > > > > > > On Debian systems it is possible to use different configurations for > > > pam-ldap and nss-ldap. The main difference on my machines is that > > > pam-ldap is configured with an ldap scope of ONE (on Users) to only > > > allow active users to log on whereas nss-ldap is configured with a > > > scope of SUB to, for example, display ownership on files created by > > > former users correctly (samba relys on getting machine accounts with > > > "getent passwd" as well...) > > > > > > Furthermore all users have a "status" tag set in ldap: status=A for > > > active users. When extending the search filter for accounts with this > > > "(uid=%user) (status=A)"(+++) it behaves correctly in the sense of > > > authentication but not in displaying the accounts. > > > The search string used throughout all the other places where user > > > accounts are required (like in account management, selecting accounts > > > as participants in calendar and so on) is > > > "(&(objectclass=posixaccount))". > > > > > > IMHO this behavior is not entirely correct: The search filter for all > > > user accounts should be composed the very same way it is done for one > > > account -- except for one difference: "*" should be used instead of the > > > username... In my case it should be: > > > "(&(objectclass=posixaccount)(uid=*)(status=A))" > > > > > > What do you think about this? Is it possible to add that behavior to > > > EGW? IMO it should not break a thing as "uid" is required for > > > objectclass posixaccount so when using "*" the very same results should > > > get reported back which mean that no existing installations are > > > affected... (and -- of course -- my problem is gone! ;-) > > > > > > -- Adi > > > > > > (+++) EGW composes the search filter in the following > > > way: "(&(objectclass=posixaccount)" + search string + ")" -- that way > > > it is not required to enter a search string like > > > "(&(uid=%user)(status=A))" because egw does all that for us... ;-) > > > > > > ----------------------------------------------------------------------- > > >-- Take Surveys. Earn Cash. Influence the Future of IT > > > Join SourceForge.net's Techsay panel and you'll get the chance to share > > > your opinions on IT & business topics through brief surveys -- and earn > > > cash > > > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVD > > >EV _______________________________________________ > > > eGroupWare-developers mailing list > > > eGr...@li... > > > https://lists.sourceforge.net/lists/listinfo/egroupware-developers -- ----------------------------------------------------- Adi Kriegisch, Systemadministrator VRVis Forschungs-GmbH, www.VRVis.at mail: kri...@vr..., tel +43(0)1 20501 30301 |