Thanks for your response,
The things is that we doesn't use LDAP auth but the CAS auth. After we doesn't permit user auth and access to ldap so I don't think that we can use your example if I understood your ldap configuration.
Julien
Le 05/12/2012 19:13, Jeroen van Meeuwen (Kolab Systems) a écrit :
On 2012-12-05 16:44, Julien Gribonvald wrote:
My needs are for the adressbook feature using an LDAP, we would like to do dynamic's filters depending on users attributes obtained at the connection with a LDAP request.
Are you saying that you need, for example, a filter of:
(&(objectclass=inetorgperson)(location:$branch_office_1))
for somebody that logs in that has an LDAP attribute 'location' set to '$branch_office_1', or something along similar lines?
You may want to consider something along the lines of (OpenLDAP slapd.conf syntax):
access to dn.subtree="ou=people,dc=example,dc=org" by set.exact="this/location & user/location" read by * none
which reads as follows:
Read, search, compare, auth and disclose access is granted to entries in the OU=People sub-tree, for which the 'location' attribute value on the entry searched/found is equal to the 'location' attribute value for the user that bound to LDAP.
This way, there's no need to modify code, and it'll work for other LDAP clients as well.
Kind regards,
Jeroen van Meeuwen