LDAP d filter question

Kenn_Crocker · July 8, 2010, 6:50pm

To list,

I noticed that the info for LDAP when using ExternalAuth mentions that you *
MUST* have a d filter defined.

My quick question is why? If my regular filter is working, anyone not
meeting that specification will be denied anyway, so why the must for the
d filter?

Kenn
LBNL

Kevin_Falcone · July 8, 2010, 10:01pm

I noticed that the info for LDAP when using ExternalAuth mentions that you MUST have a d
filter defined.

My quick question is why? If my regular filter is working, anyone not meeting that
specification will be denied anyway, so why the must for the d filter?

d_filter does not stand for denied filter, it stands for disabled
filter

“The filter that will only match disabled users”

If you leave it as the default there will be errors
If you set it to the same as your filter, everyone will be marked disabled.

If you don’t need it, make it the empty string

-kevin

Mike_Peachey · July 9, 2010, 7:55am

Kevin Falcone wrote:

I noticed that the info for LDAP when using ExternalAuth mentions that you MUST have a d
filter defined.

My quick question is why? If my regular filter is working, anyone not meeting that
specification will be denied anyway, so why the must for the d filter?

It’s just part of the way it’s designed and the way LDAP filters are
generated. It’s not brilliant, but it works well.

If you don’t need it, make it the empty string

-kevin

Have you tested that? I haven’t checked within living memory, but my
general recommendation is to use something like (objectClass=ScoobyDoo)
so you guarantee not to match. I’m not sure than an empty string won’t
cause a syntax failure on lookup.

Kind Regards,

Mike Peachey, IT Systems Administrator
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England

Kevin_Falcone · July 9, 2010, 2:27pm

If you don’t need it, make it the empty string

Have you tested that? I haven’t checked within living memory, but my
general recommendation is to use something like (objectClass=ScoobyDoo)
so you guarantee not to match. I’m not sure than an empty string won’t
cause a syntax failure on lookup.

unless ($d_filter) {
# If we don’t know how to check for disabled users, consider them all enabled.
$RT::Logger->debug(“No d_filter specified for this LDAP service (”,
$service,
“), so considering all users enabled”);
return 0;
}

-kevin

Mike_Peachey · July 9, 2010, 2:29pm

Kevin Falcone wrote:> On Fri, Jul 09, 2010 at 08:55:11AM +0100, Mike Peachey wrote:

If you don’t need it, make it the empty string

Have you tested that? I haven’t checked within living memory, but my
general recommendation is to use something like (objectClass=ScoobyDoo)
so you guarantee not to match. I’m not sure than an empty string won’t
cause a syntax failure on lookup.

unless ($d_filter) {
# If we don’t know how to check for disabled users, consider them all enabled.
$RT::Logger->debug(“No d_filter specified for this LDAP service (”,
$service,
“), so considering all users enabled”);
return 0;
}

-kevin

Ah yes.
Kind Regards,

Mike Peachey, IT Systems Administrator
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England