[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Group Members



criderkevin@aol.com wrote:
> Whats the best way to design my LDAP for use by multiple apps?
>  
> I need to be able to tell if a user if a member of different apps to allow
> access. I started by adding custom attributes for each app, boolean and such,
> and that works fine but somehow just doesn't feel right.

There's nothing wrong with that. It also depends on what your applications
support.

> Now I'm experimenting with Groups. I have a few Groups setup of objectClass
> groupOfNames and I've added "member"s to them...

Depending on how your applications use group entries with multi-valued
membership attribute this does not scale well for many users (100000+). How
many users do you expect at maximum in one group?

> the problem is I can't seem to
> find an ldapsearch that returns a list of users for a particular group. What
> am I missing here? This query was the closest I came as it returns the list of
> member attributes:
>  
> /usr/bin/ldapsearch -h 127.0.0.1 -x -b "dc=mydomain,dc=com"
> "(&(objectclass=groupOfNames)(cn=GroupA))"
>  
> Perhaps I am misunderstanding that ldap can do what I'm asking...(???)

If you want to use groupOfNames and also query the list of group members then
probably slapo-memberof is what you're looking for:

http://www.openldap.org/doc/admin24/overlays.html#Reverse%20Group%20Membership%20Maintenance

Ciao, Michael.