Thanks, Martin and Petr, for your comments and the workaround. As we're internally still on an old version of bind-dyndb-ldap I can actually use the LDAP attribute to achieve what I desire. Yeah!
As for the future, I opended https://bugzilla.redhat.com/show_bug.cgi?id=1138317, if anybody is interested to upvote :-) -----Ursprüngliche Nachricht----- > Von:Petr Spacek <pspa...@redhat.com> > Gesendet: Don 4 September 2014 15:23 > An: freeipa-users@redhat.com > Betreff: Re: [Freeipa-users] Filters in bind-dyndb-ldap > > On 4.9.2014 14:28, Martin Kosek wrote: > > Actually, FreeIPA&bind-dynd-ldap use idnszoneactive attribute (TRUE/FALSE) > > to > > define which zones are active and which are not. > > Martin is right, I will add couple more details about this: > idnszoneactive attribute should work in bind-dyndb-ldap < 4.0. > > Versions >= 4.0 do not support it yet. This defficiency is tracked in > https://fedorahosted.org/bind-dyndb-ldap/ticket/127 > > You have couple options as a workaround: > 1) Use older version of bind-dyndb-ldap :-) > > 2) Use LDAP transformation on server side so the server doesn't return > objects > from sub-tree with idnszoneactive attribute = FALSE. > > 3) Try some ACI magic on server side so it will not return objects from given > sub-tree if idnszoneactive = FALSE. (This seems to be easiest option to me.) > > Have a nice day! > > Petr^2 Spacek > > > On 09/04/2014 02:23 PM, Chris Whittle wrote: > >> Look at nsaccountlock if it's TRUE then they are disabled. > >> > >> > >> > >> On Thu, Sep 4, 2014 at 7:20 AM, Sebastian Leitz <sebastian.le...@etes.de> > >> wrote: > >> > >>> Hello, > >>> > >>> I am trying to use bind-dyndb-ldap to connect my BIND to an LDAP server > >>> for zones. I have a tiny question regarding this and both the project > >>> website and the kind people on #freeipa IRC directed me to this list. I > >>> hope someone is here who can answer my question. Sorry for intruding if > >>> I'm > >>> not asking in the correct place. > >>> > >>> For technical reasons we need to be able to filter zones in LDAP according > >>> to some flags, e.g. 'enabled'. > >>> Other services usually provide a config option to include LDAP search > >>> filters in every query, like > >>> > >>> ldap_search_filter = (enabled=1) > >>> > >>> Unfortunately, I can't find anything like this in the README file of > >>> bind-dyndb-ldap. Does anybody know of a way to pass a search filter to > >>> LDAP? > >>> > >>> Thanks in advance, > >>> > >>> Sebastian > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project > -- Sebastian Leitz Mail: sebastian.le...@etes.de ETES GmbH Fon : +49 (7 11) 48 90 83 - 14 Gablenberger Hauptstrasse 32 Fax : +49 (7 11) 48 90 83 - 50 D-70186 Stuttgart Web : http://www.etes.de/ Registergericht: Amtsgericht Stuttgart HRB 721182 Geschäftsführender Gesellschafter: Markus Espenhain Sitz der Gesellschaft: Stuttgart USt.-Id.Nr.: DE814767446 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project