Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
documentation:latest:performances [2020/03/02 17:43]
maxbes [LDAP performances] rewrite memberof tip
documentation:latest:performances [2020/05/10 11:43] (current)
Line 82: Line 82:
 </​code>​ </​code>​
  
-Example ​for groups:+Defining a group for admins
 <code perl> <code perl>
 # group # group
 admin -> $uid eq '​foo'​ or $uid eq '​bar'​ admin -> $uid eq '​foo'​ or $uid eq '​bar'​
 +</​code>​
  
-# Use a group in a rule+Using groups ​in a rule 
 +<code perl>
 ^/admin -> $groups =~ /\badmin\b/ ^/admin -> $groups =~ /\badmin\b/
  
 # Or with hGroups # Or with hGroups
 ^/admin -> defined $hGroups->​{'​admin'​} ^/admin -> defined $hGroups->​{'​admin'​}
 +
 +# Since 2.0.8
 +^/admin -> inGroup('​admin'​)
 </​code>​ </​code>​
  
Line 214: Line 219:
 <note tip>To avoid storing the full group DNs in session data, you can use a macro to rewrite ''​memberOf'':​ <note tip>To avoid storing the full group DNs in session data, you can use a macro to rewrite ''​memberOf'':​
  
-  * In *Exported variables*, export the ''​memberof''​ LDAP attribute as a ''​ldapGroups''​ session variable +  * In *Exported variables*, export the ''​memberOf''​ LDAP attribute as a ''​ldapGroups''​ session variable 
-    * key: ''​memberof''​ +    * key: ''​ldapGroups''​ 
-    * value: ''​ldapGroups''​+    * value: ''​memberOf''​
  
   * Next, add a ''​ldapGroups''​ macro that will overwrite the exported attribute   * Next, add a ''​ldapGroups''​ macro that will overwrite the exported attribute
     * key: ''​ldapGroups''​     * key: ''​ldapGroups''​
-    * value: ​''​join(";​ ",​($ldapGroups =~ /​cn=(.*?​),/​g))''​+    * value: ​ 
 +<​code="​perl">​ 
 +join(";​ ",​($ldapGroups =~ /​cn=(.*?​),/​g)) 
 +</​code>​
  
-''​ldapGroups''​ should now contain something like "admin; su" ​just like it would if you had used the regular, slower group resolution mechanism.+''​ldapGroups''​ should now contain something like ''​admin; su'' ​just like it would if you had used the regular, slower group resolution mechanism. ​
  
 +You can use [[extendedfunctions#​listmatch|listMatch($ldapGroups,​ "​some_group"​)]] in your access rules.
 </​note>​ </​note>​