L
LLDAP•13mo ago
charles

Hello all, wanted to seek some guidance on my L...

Hello all, wanted to seek some guidance on my LDAP queries. It appears proxmox or lldap don't seem to like wildcard searches, or at least I am writing them wrong, any suggestions on better ways to write these two filter queries? 
&(objectClass=person)(|(memberof=cn=proxmox_user,ou=groups,dc=phukish,dc=cvn)(memberof=cn=proxmox_admin,ou=groups,dc=phukish,dc=cvn))
&(objectClass=groupofnames)(|(cn=proxmox_user)(cn=proxmox_admin))
&(objectClass=person)(|(memberof=cn=proxmox_user,ou=groups,dc=phukish,dc=cvn)(memberof=cn=proxmox_admin,ou=groups,dc=phukish,dc=cvn))
&(objectClass=groupofnames)(|(cn=proxmox_user)(cn=proxmox_admin))
Solution:
LLDAP doesn't support wildcards everywhere, that might just be a missing feature. I don't remember exactly where we support them, but I'm pretty sure we don't support wildcard UIDs (or CNs)
Jump to solution
9 Replies
Needle
Needle•13mo ago
Here's a brand new thread for you! Please keep the discussion for this problem in this thread.
nitnelave
nitnelave•13mo ago
First thing that comes to mind is that you seem to be missing a set of parentheses around the entire filter: The syntax is (&(...)(...)(...)) (if you know lisp, it's basically calling the & function, so you need the syntax (function_name arg1 arg2 arg3) Although the technical term would probably be s-expression
charles
charles•13mo ago
Aye, that definitely helps my understanding, will included this bit. Proxmox seems quite forgiving with my queries here (although doesn't like wildcards [* or %])
nitnelave
nitnelave•13mo ago
It depends how you use the wildcards, they cannot just go anywhere in the filter. Can you give me an example?
charles
charles•13mo ago
(&(objectClass=groupofnames)(cn=proxmox_*))
(&(objectClass=person)(memberof=cn=proxmox_*,ou=groups,dc=example,dc=com))
(&(objectClass=groupofnames)(cn=proxmox_*))
(&(objectClass=person)(memberof=cn=proxmox_*,ou=groups,dc=example,dc=com))
Are kinda what I am aiming for, would like to copy all groups that start with proxmox_*, and then copy all users that are members of proxmox_* groups. Reading some of the proxmox support issue though, and trying to educate myself, is it usually better to have permissions/groups be additative (IE everyone has proxmox_user, then admins have proxmox_admin?) It seems like "it depends" as in each app is setup a little differently.
Solution
nitnelave
nitnelave•13mo ago
LLDAP doesn't support wildcards everywhere, that might just be a missing feature. I don't remember exactly where we support them, but I'm pretty sure we don't support wildcard UIDs (or CNs)
charles
charles•13mo ago
Gotcha, yeah in my case at least for at home, my original queries (above) are working just great. Kinda thinking out loud as this doesn't seem to scale well, for 10s or 100s of groups. [Which I would guess also kinda wanders outside of the aim of lldap as a project, but feel free to correct me.]
nitnelave
nitnelave•13mo ago
yeah, that's not really the objective of LLDAP. If we can support those usecases just by making the small server usecase better, that's nice, but I'm not going to make sacrifices just to support huge workloads But in this case, adding support for wildcards there would improve the project If you feel like it, you can create an issue for that (which I'm not going to get to anytime soon, but that'll be nice to have when I'm bored and don't know what else to do, if that ever comes up 😄 )
charles
charles•13mo ago
Hehe, will look into it, would love to try and pick up some rust so I can pass a PR on for this. That said yeah time is a hard commodity to come by these days 🙂
Want results from more Discord servers?
Add your server