[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Group Members
criderkevin@aol.com wrote:
> Whats the best way to design my LDAP for use by multiple apps?
>
> I need to be able to tell if a user if a member of different apps to allow
> access. I started by adding custom attributes for each app, boolean and such,
> and that works fine but somehow just doesn't feel right.
There's nothing wrong with that. It also depends on what your applications
support.
> Now I'm experimenting with Groups. I have a few Groups setup of objectClass
> groupOfNames and I've added "member"s to them...
Depending on how your applications use group entries with multi-valued
membership attribute this does not scale well for many users (100000+). How
many users do you expect at maximum in one group?
> the problem is I can't seem to
> find an ldapsearch that returns a list of users for a particular group. What
> am I missing here? This query was the closest I came as it returns the list of
> member attributes:
>
> /usr/bin/ldapsearch -h 127.0.0.1 -x -b "dc=mydomain,dc=com"
> "(&(objectclass=groupOfNames)(cn=GroupA))"
>
> Perhaps I am misunderstanding that ldap can do what I'm asking...(???)
If you want to use groupOfNames and also query the list of group members then
probably slapo-memberof is what you're looking for:
http://www.openldap.org/doc/admin24/overlays.html#Reverse%20Group%20Membership%20Maintenance
Ciao, Michael.