Below is an example of an LDAP filter. This filter illustrates the correct LDAP filter syntax for checking if a user belongs in one of several groups. Essentially, the filter allows and administrator to only define a single LDAP policy with the "list of users" option and check against multiple LDAP groups (so there is no need for an LDAP policy for each group).
For example, the filter below will match users that are members of either the groups: SentryUserGroup1 or SentryUserGroup2.
The root DN is set to: CN=SentryUsers,CN=Support,DC=Forumsys,DC=COM
(|(memberOf=CN=SentryUserGroup1,CN=SentryUsers,CN=Support,DC=Forumsys,DC=COM)(memberOf=CN=SentryUserGroup2,CN=SentryUsers,CN=Support,DC=Forumsys,DC=COM))
To assist in building LDAP filters, we recommend using an LDAP browser to assist with building your LDAP Filters. For instance, using the Directory Search option of the free LDAP Browser from Softerra will essentially build your filter for you and you can then copy/paste into Sentry.
More information from the Sentry Documentation (Access Control Guide):
The filter represents and a string representation of an LDAP search filter as defined in RFC 2254. The following interpretations of attr and value mentioned in the RFC are used:
Where attr is the attribute's identifier value is the string representation of the attribute's value and the translation of this string representation into the attribute's value is directory-specific.
Any non-ASCII characters in the filter string should be represented by the appropriate Unicode characters, and not encoded as UTF-8 octets.
Alternately, the "backslash-hexcode" notation described in RFC 2254 may be used.
RFC 2254 defines certain operators for the filter, including substring matches, equality, approximate match, greater than and less than. These operators are mapped to operators with corresponding semantics in the underlying directory.
With the “equals” operator, for example, suppose the directory has a matching rule defining "equality" of the attributes in the filter. This rule would be used for checking equality of the attributes specified in the filter with the attributes of objects in the directory. Similarly, if the directory has a matching rule for ordering, this rule would be used for making "greater than" and "less than" comparisons.
Not all of the operators defined in RFC 2254 are applicable to all attributes. When an operator is not applicable, it will cause an error. Examples:
(cn=Babs Jensen)
(!(cn=Tim Howes))
(&(objectClass=Person)(|(sn=Jensen)(cn=Babs J*)))
(o=univ*of*mich*)
For more information, review RFC 2254 - The String Representation of LDAP Search Filters at http://www.ietf.org/rfc/rfc2254.txt.
0 Comments