You are here

Home » API reference » Lightweight Directory Access Protocol (LDAP) 7

DeriveFromEntry.notes.cn.txt in Lightweight Directory Access Protocol (LDAP) 7 

This is a counterpart to DeriveFromEntry.notes.txt using cn, groupOfUniqueNames, and uid

========================================
Derive From Entry walk-through NOT nested:
========================================

--- configuration ------
0. authorization.deriveFromEntry = 1
1. authorization.deriveFromEntryEntries = array('it', 'people')
1b. authorization.deriveFromEnryEntryAttribute' = 'cn'
2. authorization.deriveFromEntryMembershipAttr = 'uniquemember'
2a. authorization.deriveFromEntryAttrMatchingUserAttr = 'dn'
4. authorization.deriveFromEntrySearchAll = 0
5. authorization.deriveFromEntryNested = 0
6. authorization.deriveFromEntryUseFirstAttr = 0
7. server.groupObjectClass = 'groupOfUniqueNames'

user ldap entry in question:
  'dn' => 'uid=joeprogrammer,ou=it,dc=ad,dc=myuniversity,dc=edu',
  'cn' => 'joeprogrammer',
  'uid' => 'joeprogrammer',
  'mail' => array( 0 => 'joeprogrammer@myuniversity.edu'),
  'uid' => array( 0 => 'joeprogrammer'),


--- walk-through ------
1). foreach base dn, execute the following query:

(&
(objectClass=groupOfUniqueNames)
(|(cn=it)(cn=people))
(uniquemember=cn=joeprogrammer,ou=it,dc=ad,dc=myuniversity,dc=edu)
)

in psuedo code:
(&
(objectClass=[server.groupObjectClass])
(|([authorization.deriveFromEnryEntryAttribute]=[authorization.deriveFromEntryEntries[i]])...([authorization.deriveFromEnryEntryAttribute]=[authorization.deriveFromEntryEntries[n]]))
([authorization.deriveFromEntryMembershipAttr]=[user_ldap_entry[deriveFromEntryAttrMatchingUserAttr]])
)


2. All entries returned represent groups that user is a member of.
Their DNs are added to the list of authorizations or the first attribute value
if authorization.deriveFromEntryUseFirstAttr is true.


========================================
Derive From Entry walk-through NESTED:
========================================

--- configuration ------
0. authorization.deriveFromEntry = 1
1. authorization.deriveFromEntryEntries = array('it', 'people')
1b. authorization.deriveFromEnryEntryAttribute' = 'cn'
2. authorization.deriveFromEntryMembershipAttr = 'uniquemember'
2b. authorization.deriveFromEntryAttrMatchingUserAttr = 'dn'
4. authorization.deriveFromEntrySearchAll = 0
5. authorization.deriveFromEntryNested = 1
6. authorization.deriveFromEntryUseFirstAttr = 0
7. server.groupObjectClass = 'groupOfUniqueNames'

user ldap entry in question:
  'dn' => 'uid=joeprogrammer,ou=it,dc=ad,dc=myuniversity,dc=edu',
  'mail' => array( 0 => 'joeprogrammer@myuniversity.edu'),
  'uid' => array( 0 => 'joeprogrammer'),


--- walk-through ------
1). foreach base dn, execute the following query:

(&
(objectClass=groupOfUniqueNames)
(|(cn=it)(cn=people))
)

in psuedo code:
(&
(objectClass=[server.groupObjectClass])
(|([authorization.deriveFromEnryEntryAttribute]=[authorization.deriveFromEntryEntries[i]])...([authorization.deriveFromEnryEntryAttribute]=[authorization.deriveFromEntryEntries[n]]))
)


2. All entries returned represent groups that user MIGHT be a member of.  examples:

  'dn' => 'cn=it,cn=groups,dc=ad,dc=myuniversity,dc=edu',
  'cn' => array( 0 => 'it'),
  'objectclass' => array( 0 => 'groupofuniquenames'),
  'uniquemember' => array(
    0 => 'developers,cn=groups,dc=ad,dc=myuniversity,dc=edu',
    1 => 'cn=sysadmins,cn=groups,dc=ad,dc=myuniversity,dc=edu',
    2 => 'uid=joeprojectmanager,ou=it,dc=ad,dc=myuniversity,dc=edu',
  ),

  'dn' => 'cn=people,cn=groups,dc=ad,dc=myuniversity,dc=edu',
  'cn' => array( 0 => 'people'),
  'objectclass' => array( 0 => 'groupofuniquenames'),
  'uniquemember' => array(
     0 => 'cn=students,cn=groups,dc=ad,dc=myuniversity,dc=edu',
     1 => 'cn=staff,cn=groups,dc=ad,dc=myuniversity,dc=edu',
  ),




3. foreach returned entry from query 1. (authorization.deriveFromEntryEntries):

  if 'uniquemember' contains a value matching 'uid=joeprogrammer,ou=it,dc=ad,dc=myuniversity,dc=edu', add that entry's DN to authorizations
  in psuedo code: if group[authorization.deriveFromEntryMembershipAttr] contains user[authorization.deriveFromEntryAttrMatchingUserAttr],
  add corresponding authorization.deriveFromEntryEntries entry to authorizations


  else recurse through uniquemembers.  if user's entry is found, add corresponding
  authorization.deriveFromEntryEntries entry to authorizations


4A.  recursion:

In the above example the first recursion query looks like:
(&
  (objectClass=groupofuniquenames)
  (|
    (cn=developers)
    (cn=sysadmins)
    (cn=joeprojectmanager)
  )
)

which might return:

    'dn' => 'cn=developers,cn=groups,dc=ad,dc=myuniversity,dc=edu',
    'cn' => array( 0 => 'developers'),
    'objectclass' => array( 0 => 'groupofuniquenames'),
    'uniquemember' => array(
      0 => 'uid=joeprogrammer,ou=it,dc=ad,dc=myuniversity,dc=edu',
    ),

    'dn' => 'cn=sysadmins,cn=groups,dc=ad,dc=myuniversity,dc=edu',
    'cn' => array( 0 => 'sysadmins'),
    'objectclass' => array( 0 => 'groupofuniquenames'),
    'uniquemember' => array(
      0 => 'uid=joeprogrammer,ou=it,dc=ad,dc=myuniversity,dc=edu',
      1 => 'cn=sysadmins,cn=groups,dc=ad,dc=myuniversity,dc=edu',
    ),

since uid=joeprogrammer,ou=it,dc=ad,dc=myuniversity,dc=edu is found in the first entry,
  "it" (the ancestor group) is added to the list of authorizations.


4B.  In the above example the second recursion query would look like:

(&
  (objectClass=groupofuniquenames)
  (|
    (cn=students)
    (cn=staff)
  )
)

which returns:

    'dn' => 'cn=staff,cn=groups,dc=ad,dc=myuniversity,dc=edu',
    'cn' => array( 0 => 'staff'),
    'objectclass' => array( 0 => 'groupofuniquenames'),
    'uniquemember' => array(
      0 => 'cn=it,cn=groups,dc=ad,dc=myuniversity,dc=edu',
      1 => 'uid=unkool,ou=lost,dc=ad,dc=myuniversity,dc=edu',
    ),


    'dn' => 'cn=students,cn=groups,dc=ad,dc=myuniversity,dc=edu',
    'cn' => array( 0 => 'students'),
    'objectclass' => array( 0 => 'groupofuniquenames'),
    'uniquemember' => array(
      0 => 'uid=jdoe,ou=campus accounts,dc=ad,dc=myuniversity,dc=edu',
    ),

4C. leading to the queries:

(&
  (objectClass=groupofuniquenames)
  (|
    (cn=jdoe)
  )
)
...which returns no entries

and
4D.
(&
  (objectClass=groupofuniquenames)
  (|
    (cn=it)
    (cn=unkool)
  )
)

which returns:

  'dn' => 'cn=it,cn=groups,dc=ad,dc=myuniversity,dc=edu',
  'cn' => array( 0 => 'it'),
  'objectclass' => array( 0 => 'groupofuniquenames'),
  'uniquemember' => array(
    0 => 'cn=developers,cn=groups,dc=ad,dc=myuniversity,dc=edu',
    1 => 'cn=sysadmins,cn=groups,dc=ad,dc=myuniversity,dc=edu',
    2 => 'uid=joeprojectmanager,ou=it,dc=ad,dc=myuniversity,dc=edu',
  ),

4E. leading to the query:

  (&
    (objectClass=groupofuniquenames)
    (|
      (cn=developers)
      (cn=sysadmins)
      (cn=joeprojectmanager)
    )
  )

which returns:

  'dn' => 'cn=developers,cn=groups,dc=ad,dc=myuniversity,dc=edu',
  'cn' => array( 0 => 'developers'),
  'objectclass' => array( 0 => 'groupofuniquenames'),
  'uniquemember' => array(
    0 => 'uid=joeprogrammer,ou=it,dc=ad,dc=myuniversity,dc=edu',
  ),

  'dn' => 'cn=sysadmins,cn=groups,dc=ad,dc=myuniversity,dc=edu',
  'cn' => array( 0 => 'sysadmins'),
  'objectclass' => array( 0 => 'groupofuniquenames'),
  'uniquemember' => array(
    0 => 'uid=joeprogrammer,ou=it,dc=ad,dc=myuniversity,dc=edu',
    1 => 'cn=sysadmins,cn=groups,dc=ad,dc=myuniversity,dc=edu',
  ),

since uid=joeprogrammer,ou=it,dc=ad,dc=myuniversity,dc=edu is found in the first entry,
"people" (the ancestor group) is added to the list of authorizations.

==================================================================

File

ldap_authorization/tests/DeriveFromEntry/DeriveFromEntry.notes.cn.txt
View source 
  1. 

  2. This is a counterpart to DeriveFromEntry.notes.txt using cn, groupOfUniqueNames, and uid

  3. 

  4. ========================================

  5. Derive From Entry walk-through NOT nested:

  6. ========================================

  7. 

  8. --- configuration ------

  9. 0. authorization.deriveFromEntry = 1

  10. 1. authorization.deriveFromEntryEntries = array('it', 'people')

  11. 1b. authorization.deriveFromEnryEntryAttribute' = 'cn'

  12. 2. authorization.deriveFromEntryMembershipAttr = 'uniquemember'

  13. 2a. authorization.deriveFromEntryAttrMatchingUserAttr = 'dn'

  14. 4. authorization.deriveFromEntrySearchAll = 0

  15. 5. authorization.deriveFromEntryNested = 0

  16. 6. authorization.deriveFromEntryUseFirstAttr = 0

  17. 7. server.groupObjectClass = 'groupOfUniqueNames'

  18. 

  19. user ldap entry in question:

  20.   'dn' => 'uid=joeprogrammer,ou=it,dc=ad,dc=myuniversity,dc=edu',

  21.   'cn' => 'joeprogrammer',

  22.   'uid' => 'joeprogrammer',

  23.   'mail' => array( 0 => 'joeprogrammer@myuniversity.edu'),

  24.   'uid' => array( 0 => 'joeprogrammer'),

  25. 

  26. 

  27. --- walk-through ------

  28. 1). foreach base dn, execute the following query:

  29. 

  30. (&

  31. (objectClass=groupOfUniqueNames)

  32. (|(cn=it)(cn=people))

  33. (uniquemember=cn=joeprogrammer,ou=it,dc=ad,dc=myuniversity,dc=edu)

  34. )

  35. 

  36. in psuedo code:

  37. (&

  38. (objectClass=[server.groupObjectClass])

  39. (|([authorization.deriveFromEnryEntryAttribute]=[authorization.deriveFromEntryEntries[i]])...([authorization.deriveFromEnryEntryAttribute]=[authorization.deriveFromEntryEntries[n]]))

  40. ([authorization.deriveFromEntryMembershipAttr]=[user_ldap_entry[deriveFromEntryAttrMatchingUserAttr]])

  41. )

  42. 

  43. 

  44. 2. All entries returned represent groups that user is a member of.

  45. Their DNs are added to the list of authorizations or the first attribute value

  46. if authorization.deriveFromEntryUseFirstAttr is true.

  47. 

  48. 

  49. ========================================

  50. Derive From Entry walk-through NESTED:

  51. ========================================

  52. 

  53. --- configuration ------

  54. 0. authorization.deriveFromEntry = 1

  55. 1. authorization.deriveFromEntryEntries = array('it', 'people')

  56. 1b. authorization.deriveFromEnryEntryAttribute' = 'cn'

  57. 2. authorization.deriveFromEntryMembershipAttr = 'uniquemember'

  58. 2b. authorization.deriveFromEntryAttrMatchingUserAttr = 'dn'

  59. 4. authorization.deriveFromEntrySearchAll = 0

  60. 5. authorization.deriveFromEntryNested = 1

  61. 6. authorization.deriveFromEntryUseFirstAttr = 0

  62. 7. server.groupObjectClass = 'groupOfUniqueNames'

  63. 

  64. user ldap entry in question:

  65.   'dn' => 'uid=joeprogrammer,ou=it,dc=ad,dc=myuniversity,dc=edu',

  66.   'mail' => array( 0 => 'joeprogrammer@myuniversity.edu'),

  67.   'uid' => array( 0 => 'joeprogrammer'),

  68. 

  69. 

  70. --- walk-through ------

  71. 1). foreach base dn, execute the following query:

  72. 

  73. (&

  74. (objectClass=groupOfUniqueNames)

  75. (|(cn=it)(cn=people))

  76. )

  77. 

  78. in psuedo code:

  79. (&

  80. (objectClass=[server.groupObjectClass])

  81. (|([authorization.deriveFromEnryEntryAttribute]=[authorization.deriveFromEntryEntries[i]])...([authorization.deriveFromEnryEntryAttribute]=[authorization.deriveFromEntryEntries[n]]))

  82. )

  83. 

  84. 

  85. 2. All entries returned represent groups that user MIGHT be a member of.  examples:

  86. 

  87.   'dn' => 'cn=it,cn=groups,dc=ad,dc=myuniversity,dc=edu',

  88.   'cn' => array( 0 => 'it'),

  89.   'objectclass' => array( 0 => 'groupofuniquenames'),

  90.   'uniquemember' => array(

  91.     0 => 'developers,cn=groups,dc=ad,dc=myuniversity,dc=edu',

  92.     1 => 'cn=sysadmins,cn=groups,dc=ad,dc=myuniversity,dc=edu',

  93.     2 => 'uid=joeprojectmanager,ou=it,dc=ad,dc=myuniversity,dc=edu',

  94.   ),

  95. 

  96.   'dn' => 'cn=people,cn=groups,dc=ad,dc=myuniversity,dc=edu',

  97.   'cn' => array( 0 => 'people'),

  98.   'objectclass' => array( 0 => 'groupofuniquenames'),

  99.   'uniquemember' => array(

  100.      0 => 'cn=students,cn=groups,dc=ad,dc=myuniversity,dc=edu',

  101.      1 => 'cn=staff,cn=groups,dc=ad,dc=myuniversity,dc=edu',

  102.   ),

  103. 

  104. 

  105. 

  106. 

  107. 3. foreach returned entry from query 1. (authorization.deriveFromEntryEntries):

  108. 

  109.   if 'uniquemember' contains a value matching 'uid=joeprogrammer,ou=it,dc=ad,dc=myuniversity,dc=edu', add that entry's DN to authorizations

  110.   in psuedo code: if group[authorization.deriveFromEntryMembershipAttr] contains user[authorization.deriveFromEntryAttrMatchingUserAttr],

  111.   add corresponding authorization.deriveFromEntryEntries entry to authorizations

  112. 

  113. 

  114.   else recurse through uniquemembers.  if user's entry is found, add corresponding

  115.   authorization.deriveFromEntryEntries entry to authorizations

  116. 

  117. 

  118. 4A.  recursion:

  119. 

  120. In the above example the first recursion query looks like:

  121. (&

  122.   (objectClass=groupofuniquenames)

  123.   (|

  124.     (cn=developers)

  125.     (cn=sysadmins)

  126.     (cn=joeprojectmanager)

  127.   )

  128. )

  129. 

  130. which might return:

  131. 

  132.     'dn' => 'cn=developers,cn=groups,dc=ad,dc=myuniversity,dc=edu',

  133.     'cn' => array( 0 => 'developers'),

  134.     'objectclass' => array( 0 => 'groupofuniquenames'),

  135.     'uniquemember' => array(

  136.       0 => 'uid=joeprogrammer,ou=it,dc=ad,dc=myuniversity,dc=edu',

  137.     ),

  138. 

  139.     'dn' => 'cn=sysadmins,cn=groups,dc=ad,dc=myuniversity,dc=edu',

  140.     'cn' => array( 0 => 'sysadmins'),

  141.     'objectclass' => array( 0 => 'groupofuniquenames'),

  142.     'uniquemember' => array(

  143.       0 => 'uid=joeprogrammer,ou=it,dc=ad,dc=myuniversity,dc=edu',

  144.       1 => 'cn=sysadmins,cn=groups,dc=ad,dc=myuniversity,dc=edu',

  145.     ),

  146. 

  147. since uid=joeprogrammer,ou=it,dc=ad,dc=myuniversity,dc=edu is found in the first entry,

  148.   "it" (the ancestor group) is added to the list of authorizations.

  149. 

  150. 

  151. 4B.  In the above example the second recursion query would look like:

  152. 

  153. (&

  154.   (objectClass=groupofuniquenames)

  155.   (|

  156.     (cn=students)

  157.     (cn=staff)

  158.   )

  159. )

  160. 

  161. which returns:

  162. 

  163.     'dn' => 'cn=staff,cn=groups,dc=ad,dc=myuniversity,dc=edu',

  164.     'cn' => array( 0 => 'staff'),

  165.     'objectclass' => array( 0 => 'groupofuniquenames'),

  166.     'uniquemember' => array(

  167.       0 => 'cn=it,cn=groups,dc=ad,dc=myuniversity,dc=edu',

  168.       1 => 'uid=unkool,ou=lost,dc=ad,dc=myuniversity,dc=edu',

  169.     ),

  170. 

  171. 

  172.     'dn' => 'cn=students,cn=groups,dc=ad,dc=myuniversity,dc=edu',

  173.     'cn' => array( 0 => 'students'),

  174.     'objectclass' => array( 0 => 'groupofuniquenames'),

  175.     'uniquemember' => array(

  176.       0 => 'uid=jdoe,ou=campus accounts,dc=ad,dc=myuniversity,dc=edu',

  177.     ),

  178. 

  179. 4C. leading to the queries:

  180. 

  181. (&

  182.   (objectClass=groupofuniquenames)

  183.   (|

  184.     (cn=jdoe)

  185.   )

  186. )

  187. ...which returns no entries

  188. 

  189. and

  190. 4D.

  191. (&

  192.   (objectClass=groupofuniquenames)

  193.   (|

  194.     (cn=it)

  195.     (cn=unkool)

  196.   )

  197. )

  198. 

  199. which returns:

  200. 

  201.   'dn' => 'cn=it,cn=groups,dc=ad,dc=myuniversity,dc=edu',

  202.   'cn' => array( 0 => 'it'),

  203.   'objectclass' => array( 0 => 'groupofuniquenames'),

  204.   'uniquemember' => array(

  205.     0 => 'cn=developers,cn=groups,dc=ad,dc=myuniversity,dc=edu',

  206.     1 => 'cn=sysadmins,cn=groups,dc=ad,dc=myuniversity,dc=edu',

  207.     2 => 'uid=joeprojectmanager,ou=it,dc=ad,dc=myuniversity,dc=edu',

  208.   ),

  209. 

  210. 4E. leading to the query:

  211. 

  212.   (&

  213.     (objectClass=groupofuniquenames)

  214.     (|

  215.       (cn=developers)

  216.       (cn=sysadmins)

  217.       (cn=joeprojectmanager)

  218.     )

  219.   )

  220. 

  221. which returns:

  222. 

  223.   'dn' => 'cn=developers,cn=groups,dc=ad,dc=myuniversity,dc=edu',

  224.   'cn' => array( 0 => 'developers'),

  225.   'objectclass' => array( 0 => 'groupofuniquenames'),

  226.   'uniquemember' => array(

  227.     0 => 'uid=joeprogrammer,ou=it,dc=ad,dc=myuniversity,dc=edu',

  228.   ),

  229. 

  230.   'dn' => 'cn=sysadmins,cn=groups,dc=ad,dc=myuniversity,dc=edu',

  231.   'cn' => array( 0 => 'sysadmins'),

  232.   'objectclass' => array( 0 => 'groupofuniquenames'),

  233.   'uniquemember' => array(

  234.     0 => 'uid=joeprogrammer,ou=it,dc=ad,dc=myuniversity,dc=edu',

  235.     1 => 'cn=sysadmins,cn=groups,dc=ad,dc=myuniversity,dc=edu',

  236.   ),

  237. 

  238. since uid=joeprogrammer,ou=it,dc=ad,dc=myuniversity,dc=edu is found in the first entry,

  239. "people" (the ancestor group) is added to the list of authorizations.

  240. 

  241. ==================================================================