Apple Event: May 7th at 7 am PT

Learn more

Add to your calendar 

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: fkick1
fkick1 Author
User level: Level 1
91 points

Search for user in group via LDAP

Hi All,


I've got LDAP setup on my mac mini server with OD. Right now I've got users setup in multiple groups for filesharing priviledges via Workgroup Manger. I'm wondering if theres a way to set the LDAP searchbase to only search for members within the same group.


For example, I currently have the search base set for


cn=users,dc=example,dc=com


but I'm looking for a way to limit the results so only users in cn=groupname1,cn=groups,dc=example,dc=com would show (that would be users in groupname1).


Is this possible?


Thanks!

MAC MINI SERVER (LATE 2012), OS X Mountain Lion (10.8.2), ios 6.0.1

Posted on Dec 5, 2012 3:36 PM

Reply
8 replies
User profile for user: fkick1
fkick1 Author
User level: Level 1
91 points

Dec 5, 2012 5:02 PM in response to JaimeMagiera

Thanks for getting back to me Jaime.


Lets say usertA belongs to group1, but that I have userB through userF that may belong to groups2 through group3.


I want to set usertA's LDAP access so that they can only see the other users in group1 but not groups2 and groups3. The same is true for the other users. If there are four users in group3, I want them to see each other but not the users in groups1 and groups2.


Right now, with the search base set for


cn=users,dc=example,dc=com


all users can see each other, regardless of which group their in. Is there a way to modify the search base to limit each user to only being able to see other users in their group?


Thanks!

Reply
User profile for user: JaimeMagiera
JaimeMagiera
User level: Level 2
314 points

Dec 5, 2012 5:59 PM in response to fkick1

Maybe someone else has a solution, but I don't believe it's possible. Those apps are configured to query a number of attributes from the search base. That means you can't add your own filters. So, the solution would have to be server-side. Though you could modify the lower level LDAP to make such limitiations, there is nothing in the GUI that would allow such a setup and there is no guarantee that it would continue to work with the rest of OpenDirectory. One issue is that the server would need to have authenticated search queries enabled - otherwise, your limits in the Contacts app would be superflous, because any other app or ldap search tool could find the users and that wouldn't be very secure.


You could create multiple domains and limit the search base to those domains (with authentication)

Reply
User profile for user: JaimeMagiera
JaimeMagiera
User level: Level 2
314 points

Dec 5, 2012 7:27 PM in response to fkick1

Well, it depends on how technical you want to get. Yes, you can use OUs in the search base of Contacts.app. However, you can only create OUs on the server side via 3rd party apps that write directlly to the LDAP tree (ldapadd, ldapmodify, etc.) or edit the raw files. There isn't anything in the Server.app GUI to do that. In general, OpenDirectory does not support creating OUs out of the box. So, you'd be winging it. Here's a doc that outlines the procedure... http://publishing.yudu.com/Library/Avczi/prueba/resources/20.htm

Reply

Search for user in group via LDAP

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up