Return-Path: X-Original-To: apmail-directory-users-archive@www.apache.org Delivered-To: apmail-directory-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 0744710893 for ; Thu, 19 Mar 2015 06:30:42 +0000 (UTC) Received: (qmail 85841 invoked by uid 500); 19 Mar 2015 06:30:41 -0000 Delivered-To: apmail-directory-users-archive@directory.apache.org Received: (qmail 85799 invoked by uid 500); 19 Mar 2015 06:30:41 -0000 Mailing-List: contact users-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@directory.apache.org Delivered-To: mailing list users@directory.apache.org Received: (qmail 85787 invoked by uid 99); 19 Mar 2015 06:30:41 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 19 Mar 2015 06:30:41 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of elecharny@gmail.com designates 209.85.212.176 as permitted sender) Received: from [209.85.212.176] (HELO mail-wi0-f176.google.com) (209.85.212.176) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 19 Mar 2015 06:30:34 +0000 Received: by wifj2 with SMTP id j2so59630445wif.1 for ; Wed, 18 Mar 2015 23:29:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=WuqQuuU/rBEI+shcPvdoEx1zEQR3kmWbiuYDjCB3bmI=; b=zmJY3VftoiVvuNvwPM2Oey7J8R8oMQzsOjF0bw+HK7iZqR+V9agZY0/TK0lC2oH9Fn mHEpfRE+FLZ4Y/HE4bSyHIN6wl2AcE7hVfOeDcGKyqUd3ANv81U5M/Q2woTciDJsv78X q+z3C4YyNNb5w9IIOn0eACA3BsSJFy57nQ0726kSKtuh4txPWS8Zz+0R1IjcxtbfDGD9 TpMxqTTnTv2ykd15Nm3jKbOpJHxPBFjC+b0zYkycZMegyD+Izvj2yIeoTVgq/ptJnJez 8rNq14lqjGSrVBp8HufiEmcHmOQ9XD7cB7VlbTMlhJGeVsZASEQi/ofgy5tuEqB12vpF 9YfA== X-Received: by 10.180.19.73 with SMTP id c9mr13672524wie.10.1426746569246; Wed, 18 Mar 2015 23:29:29 -0700 (PDT) Received: from [192.168.1.20] (AMontsouris-651-1-10-164.w90-46.abo.wanadoo.fr. [90.46.101.164]) by mx.google.com with ESMTPSA id d9sm1059349wib.20.2015.03.18.23.29.21 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 18 Mar 2015 23:29:22 -0700 (PDT) Message-ID: <550A6CC0.7050401@gmail.com> Date: Thu, 19 Mar 2015 07:29:20 +0100 From: =?UTF-8?B?RW1tYW51ZWwgTMOpY2hhcm55?= User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 MIME-Version: 1.0 To: users@directory.apache.org Subject: Re: checking group membership during while binding References: In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Virus-Checked: Checked by ClamAV on apache.org Le 19/03/15 00:50, Michael Perelman a =C3=A9crit : > While using Apache LDAP java APIs, is there a way to check for group me= mbership during the binding process? Or is the only way to determine grou= p membership is by doing a regular lookup, and only after binding? The la= tter approach may not work because the authenticated user may not have th= e access rights to perform any lookups, thereby forcing the use of an LDA= P administrator. That means that its credentials need to be stored somewh= ere outside the LDAP server in order for the client code to use its accou= nt for the aforementioned lookup. What approach would you suggest? > =20 I'm not sure what you want to do here. What is your "check for group membership" in LDPA terms ? If you mean you want to look at the content of the 'member' attribute, then yes, a lookuo is the way. If you don't want to do that regularly, then using the persistentSearch contrl might be an option : you will be informed of any change done on this attribute. Obviously, you will depend on yoru LDAP server settings to have access to this attribute. If your server does not allow operations to be done without any binding (yes, you can do a search without doing any bind, this is allowed by the protocol, but most generally forbidden by some server configuration), then depending on the authorization, you might also have to pick the right user to complete such a lookup. All in all, it's really a server configuration problem...