I am new to LDAP and I have tried implementing RBAC on OpenLDAP. I created some users (inetOrganizationPerson) and put them in groups (groupOfNames). Next I created some roles (organizationalRole) and associated (roleOccupant) them with user groups, instead of directly associating them with users.
I am trying to write a query that can give me role of a given user. It should determine to which group or groups that user belongs to and what are the roles that are assigned to those groups.
I suppose I can do it through two separate queries:
1) /usr/local/bin/ldapsearch -x -b 'ou=Groups,dc=example,dc=com' -s sub -LLL "(&(objectclass=groupOfNames)(member=uid=anurag,ou=People,dc=example,dc=com))" cn
2)/usr/local/bin/ldapsearch -x -b 'ou=Roles,dc=example,dc=com' -s sub -LLL "(&(objectclass=organizationalRole)(roleOccupant=cn=Administrators,ou=Groups,dc=example,dc=com))" cn
In the first query, member 'anurag' is the parameter and it yields 'Administrators' as the group to which user 'anurag' belongs to. The second query takes 'Administrators' (from first query) as a parameter and it yields 'Admin' as the role.
However I am looking for, how I can achieve this through a single query, provided it is more efficient? More importantly, how it is typically done?
In LDAP what you're looking for is accomplished using the Deref control.
https://datatracker.ietf.org/doc/html/draft-masarati-ldap-deref-00
