#1
  1. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2003
    Posts
    2
    Rep Power
    0

    how can i view the entries in ldap


    hi,this problem has puzzle me many days.
    i hava set the aci in ldap that a entry (egu=teachers,o=university) only be view by the entry(ou=admins,o=university),
    but i don't know how to implement it,
    could you plese tell me how to binding the viewer's identify when he/she search? thanks very much.
  2. #2
  3. 300lb Bench!
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Aug 2001
    Location
    New York
    Posts
    2,353
    Rep Power
    62
    If you look under the articles section of this site (under the php main category) there are two articles that talk about php. Other than that, you may want to purchase the O'Reilly book. I'm tinkering with LDAP myself and don't have a specific answer to your question. Sorry.
    Correspondence chess
    nothingbutchess.com
  4. #3
  5. Chris Larivee
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2003
    Location
    Littleton, CO
    Posts
    72
    Rep Power
    12
    Hi Arkang -

    I am not sure where you are looking for help - whether it is setting the aci or testing the aci once it is set ...

    First, either you dit isn't set up correctly - or you mistyped your intentions on the aci. The way the aci works is by allowing the entry to access something in the directory - either a branch point in the dit - or an entry specifically.

    In your example you are saying that only the entry ou-admins,o=university can view the teachers ou. In reality you wouldn't have a password associated with an ou - so binding as that entry would most likely not be possible.

    What you may consider doing is creating a group with all your administrators present - then allowing that group to view the ou with teachers in it.

    Then you would add the aci to the ou=teachers,o=university entry - assigning the search capability to the admin group. Alternatively you could do it by assigning the right to search to each individual user - like uid=admin,ou=admins,o=university.

    Then at that point you can test using ldapsearch by specifying your bind dn as uid=admin,ou=admins,o=university (or any member of the admins group if you create one and set the aci that way) and searching the ou=teachers,o=university branch.

    I hope this helps in some way. If I am off base on what you are looking for - just post again and I'll try to help. It might be helpful to know which brand and version of directory server you are using as well ...

    HTH

    -Chris
  6. #4
  7. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2003
    Posts
    2
    Rep Power
    0
    thanks ldap4u and colpaarm,
    to ldap4u
    my realy question is:
    the all people of the university were stored in different directory by different department(eg ou=dept1,o=university ... ou=dept2,o=university),and we have different application were stored in ldap too(eg dc=app1,o=university ... dc=app2,o=university),

    how can i controle if a user who belong to dept1 logon success,she/he only can view dc=app1,but can't view dc=app2
  8. #5
  9. Chris Larivee
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2003
    Location
    Littleton, CO
    Posts
    72
    Rep Power
    12
    Hi arkang,

    So merely denying access to the information that is stored in the directory for the application may not be enough to ensure you get the results you need - you may need to further investigate the capabilities of your application to ensure it understands how to parse either ACI's in LDAP or to ensure it can process LDAP groups.

    From a directory only perspective - you will need to set an aci at the application branch of the directory structure to allow access to only those who should have it. For instance you may want to set an aci on dc=app1,o=university (by the way this is a very odd dit structure) that allows access to only those users in ou=dept1,o=university. You have several ways to accomplish this - the most popularly used method would be to create a group (ideally a dynamic group) consisting of all the users that would have access to this branch point (dc=dept1,o=university). You may also be able to specify the list of people who should have acccess by using a wildcard in your aci statement - something like ldap:///*,ou=dept1,o=university ...

    hope this helps in some way ...

IMN logo majestic logo threadwatch logo seochat tools logo