Hi all, I am total LDAP newbie and I am just researching if I can use it for my next project or better stay away from it. The project will depend heavily on the concept of nested groups and I frequently need to know in which groups a user is (also in which supergroups), which users are in which group and how many people are in a group (including subgroups). I tried to read about nested groups in ldap but it is hard to find good literature on that topic. So far the best I found is: http://middleware.internet2.edu/dir/groups/docs/internet2-mace-dir-groups-best-practices-200210.htm which kind of recommends forward references.
Is there any other documentation describing nested group? By now I am not limited by an implementation so it can be e.g. openLDAP specific.
I am also open for all recommendations regarding nested groups.
Thanks, Markus
-
Sounds like you could go with
groupOfNames- that object contains a collection of LDAP Distinguished Names, so it can hold users and other groups without a problem. The caveat is unwinding the membership tree (and ensuring there are no cycles in it, or handling cycles gracefully) is the responsibility of your software.I've never done the forward references thing myself (I prefer the "Group has these Members" approach above rather than "Member is in these Groups" - my brain has an easier time with it), but my group structures are typically discrete, non-nested memberships so there may be advantages I'm overlooking.
jocsch : If I'll go this route and choose static groups, I can easily get all the member DNs using a search filter. But how would I proceed if I now would like to get the email adresses from all returned members? Iterating over the result and getting the desired attribute seems very costly. With forward referencing I can get everything in one call.jocsch : Sorry, my last comment was insufficient. I plan to have a "people" and a "groups" branch as every user can be in multiple groups. Therefor the ldapsearch can only return the member DNs that references the users in the people branch.From voretaq7
0 comments:
Post a Comment