1

Not terribly experience with LDAP here. Looking for some help crafting either a LDAP dynamic group or LDAP query that I can use to create a dynamic group.

Here is the goal: a groupOfNames or groupOfURLs containing all managers as members.

Managers are stored as manager attributes on the people that are being managed. We can get a list of people with defined managers, and the DNs of those managers with the following query:

ldaps:///ou=users,dc=example,dc=com?manager?sub?(manager=*)

The problem here is that we're still returning the primary DN of the managed person rather than than manager so we'd end up with the wrong people in the group.

Is there a way to either make a groupOfURLs that sources its members from the member attribute instead OR write a subquery that follows the DNs in the manager attribute to return the managers as a result?

FWIW we're running OpenDJ, which is based on OpenDS.

Thanks in advance for any help!

brodkin
  • 11
  • 2

1 Answers1

0

This is not just specific to OpenDJ or OpenDS, but overall an issue of LDAP data model. In a dynamic group (GroupOfURLs), the filter must match attributes that are in the members entries, there is no way to have an indirection through another entry attribute (like manager). You need to find an attribute that is the manager entries, that is not in the managed entries.

Ludovic Poitou
  • 101
  • 1