add a ldap_scope parameter

[tdm4]

Hi,

I need a way of setting the LDAP search filter to use SCOPE = one (instead of subtree). Is this possible? Our setup looks like this:

ou=people
      |
       -  cn=user1
       -  cn=user2
       ...
       |
       - ou=deactivated
           |
           - cn=user3
           - cn=user4

Having scope=one would only search and find users like user1 and user2 but would exclude 'user3' and 'user4.

It seems the LDAP search doesn't work despite trying modifiers like NOT (!(ou=deactivated))

Any ideas on how this could be achieved?

Thanks, Tom

[davidcoutadeur]

Hello,

It seems that ldap_search is missing the scope parameters. Any search is done with sub scope.

See: https://www.php.net/manual/en/function.ldap-search.php

You could replace ldap_search by ldap_list, which is doing exactly what you want, but it wouldn't be convenient for the software maintenance.

Maybe we could have a selector for choosing the right function (ldap_list, ldap_search or ldap_read), given a scope parameter, but it's quite a work.

[coudot]

Yes, selecting the scope could be a new feature

If you are using OpenLDAP, you can use extended filter matching:

(!(ou:dn:=deactivated))

[tdm4]

Yes, selecting the scope could be a new feature

If you are using OpenLDAP, you can use extended filter matching:

(!(ou:dn:=deactivated))

Thanks! That did the trick! Worth noting... if you have more than one OU group under there, you can AND the NOTs like so:

$ldap_filter = "(&(objectClass=person)($ldap_login_attribute={login})(!(ou:dn:=deactivated))(!(ou:dn:=disabled)))";

(for example)

[davidcoutadeur]

Done in #939

Don't forget to update composer dependency: "ltb-project/ltb-common": "dev-main" to the correct version when released. (0.3.0)