Ok, I’‘ve been looking all over the forums pages and can’‘t find the answer I need. Below is what I’‘m trying to create for my search filter and group search filter. I can’‘t seem to get the search correct. I’‘m new to this and don’'t know how to put the string together.
I want to searchfilter to show just users that are members of all CN groups under a certen OU
I also want to groupsearchfilter the CN groups that are under that same OU
One important note: LDAP doesn’'t support filtering based on DN (ie. DN=CN=Some Group,OU=IM Groups,DC=MNO,DC=PQR,DC=COM). The only way to limit searches to that OU are to key off of some attribute inside the Group or to tell Wildfire to bind to that OU (with the baseDN directive).
What you can do is use sub-grouping. Create a global group called WildfireAccess. Make the groups you want to show up in Wildfire members of that new group. Do the same thing for the users you want to have access to Wildfire. Then adjust your filters to make sure that only users and groups that are members of the WildfireAccess group are selected.
For more details, see my replies to some really old posts that dealt with this issue:
Wouldn’‘t I be able to create a WildFire Group and just add my Dept1 Grp, Dept2 Grp, etc… group as members of that group and do the same thing? As users are already members of Dept* Grp’'s they would then inherit the WildFire Group?
If I then had my search filter just look at WildFire Group for both Users and Groups it would get both. Correct?
Thanks for the feedback, jaye. Your findings line up with my understanding of how the LDAP support works. Let me do a little explaining…
Wildfire uses the user search filter to get a list of users that should be given access. If user1 is a member of “IT Group” but not “Wildfire IM Group”, the LDAP user object will not have an attribute of “memberOf=CN=Wildfire IM Group” so the query will obviously fail. As wvankuyk noted, Wildfire doesn’‘t traverse nested group memberships, so this setup won’'t work.
Any Jive folks watching this discussion? How about adding a Feature Request for LDAP group membership traversal? This feature would make managing LDAP even easier than it already is.