What Is The Difference Between The Three LDAP Control Filters?
What is the difference between the three LDAP Control Filters in the LDAP Advanced Configuration page?
The three LDAP Control Filters are as follows:
· Enable User Access Control Filter
· Enable User Privacy Control Filter
· Enable User Membership Control Filter
The three Filters are essentially the same and have an AND relationship to filter to a more granular level.
In concept, all these three filters are used to control who can access DocuShare. During authentication, the user that is logged in must satisfy all the selected filters. Otherwise, he/she can NOT login to the DocuShare site.
"User access control" and "User privacy control" are treated equally in the code.
Their syntax follows the standard LDAP query format. They filter user by using the LDAP user properties.
For example:
[1] (cn=test*)
That means the first name of the user must start with 'test'.
"User membership control" is mainly designed for SunOne/NDS user.
In an Active Directory (AD) server, customers can make use of the memberOf attribute if they just want the user(s) belonging to a specified group to be able to access DocuShare and others user(s) can NOT access DocuShare.
Example: (|((memberOf=CN=DSGROUP1,OU=marketing,DC=docushare,DC=local)(memberOf=CN=DSGROUP2,OU=marketing,DC=docushare,DC=local))).
Such filter can be used in either “User access control†or "User privacy control" filter.
In SunOne/NDS server, there is no such attribute. To make manage user by group possible, we defined our own filter format. Details on the filter format are listed in the appendix section at the end of this solution or in the online help.
Here are some typical uses for better understanding those filters:
Enable User Access Control
Select to use a User Access filter to control user access to your DocuShare site.
For example:
"User Access Control" filter is (cn=test*)
A user whose DN is: cn=John Smith,ou=marketing,dc=Xerox,dc=com can NOT login to DocuShare because its CN doesn't satisfy the filter.
Enable User Privacy Control
Select to use an authentication filter to control privacy sensitive authentication.
This is the same as the "User Access Control" filter. It will works with the "User Access Control" by an AND relationship.
For example:
"User Access Control" filter is (cn=test*)
"User Privacy Control" filter is (mail=*xerox.com*)
A user whose DN is: cn=test1,ou=marketing,dc=Xerox,dc=com, but its mail address is test1@yahoo.com, can NOT login to DocuShare because it only satisfy the "User Access Control" filter AND NOT the "User Privacy Control" filter.
Enable User Membership Control
Select to use a membership filter to control authentication.
This means membership in an LDAP group is required to be authenticated when the user logs in.
For example:
"User Access Control" filter is (cn=test*)
"User Privacy Control" filter is (mail=*xerox.com*)
"User membership control" filter is (|(childOf = CN=GROUP1,OU=marketing,DC=docushare,DC=Xerox,DC=com)(descendantOf = CN=GROUP2,OU=marketing,DC=docushare,DC=Xerox,DC=com))
A user whose DN is: cn=test1,ou=marketing,dc=Xerox,dc=com, AND its email address is test1@xerox.com, AND does NOT directly belongs to Group1 AND is NOT a descendant of Group2 can NOT login to DocuShare because it only satisfy the "User Access Control" filter and the "User Privacy Control" filters, but he/she didn't satisfy the "User membership control" filter.
Appendix:
User Membership Control filter description.
The User Membership Control Filter format definition is as follows:
[1.1] Limit the user must be direct member of a group
(childOf = group's DN)
Example:
(childOf = CN=Group1,OU=marketing,DC=docushare,DC=Xerox,DC=com)
/* user must directly belongs to Group1*/
[1.2] Limit the user must be a descendant of a group
(descendantOf = group's DN)
Example:
(descendantOf = CN=Group2,OU=marketing,DC=docushare,DC=Xerox,DC=com)
/* user must be a descendant of Group2 */
[1.3] OR relationship on multiple groups
Example:
(|(childOf = CN=Group1,OU=marketing,DC=docushare,DC=Xerox,DC=com)(descendantOf = CN=Group2,OU=marketing,DC=docushare,DC=Xerox,DC=com))
/* user must directly belongs to Group1 OR is a descendant of Group2*/
[1.4] AND relationship on multiple groups
Example:(&(childOf = CN=Group1,OU=marketing,DC=docushare,DC=Xerox,DC=com)(descendantOf = CN=Group2,OU=marketing,DC=docushare,DC=Xerox,DC=com))
/* user must directly belongs to Group1 AND is a descendant of Group2*/
Notes: AND and OR relationship can't be used at same time. Filter must be put within brackets.
Solution Published: February 20th, 2013
Solution ID: 1273