[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Group Members

To: criderkevin@aol.com
Subject: Re: Group Members
From: Michael Ströder <michael@stroeder.com>
Date: Fri, 12 Aug 2011 19:05:24 +0200
Cc: openldap-technical@openldap.org
In-reply-to: <8CE26ADE9B22DD0-1EC4-2E95D@Webmail-d102.sysops.aol.com>
References: <8CE26ADE9B22DD0-1EC4-2E95D@Webmail-d102.sysops.aol.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20110706 Firefox/5.0 SeaMonkey/2.2

criderkevin@aol.com wrote:
> Whats the best way to design my LDAP for use by multiple apps?
>  
> I need to be able to tell if a user if a member of different apps to allow
> access. I started by adding custom attributes for each app, boolean and such,
> and that works fine but somehow just doesn't feel right.

There's nothing wrong with that. It also depends on what your applications
support.

> Now I'm experimenting with Groups. I have a few Groups setup of objectClass
> groupOfNames and I've added "member"s to them...

Depending on how your applications use group entries with multi-valued
membership attribute this does not scale well for many users (100000+). How
many users do you expect at maximum in one group?

> the problem is I can't seem to
> find an ldapsearch that returns a list of users for a particular group. What
> am I missing here? This query was the closest I came as it returns the list of
> member attributes:
>  
> /usr/bin/ldapsearch -h 127.0.0.1 -x -b "dc=mydomain,dc=com"
> "(&(objectclass=groupOfNames)(cn=GroupA))"
>  
> Perhaps I am misunderstanding that ldap can do what I'm asking...(???)

If you want to use groupOfNames and also query the list of group members then
probably slapo-memberof is what you're looking for:

http://www.openldap.org/doc/admin24/overlays.html#Reverse%20Group%20Membership%20Maintenance

Ciao, Michael.

References:
- Group Members
  - From: criderkevin@aol.com

Prev by Date: Re: Group Members
Next by Date: Re: can't get memberof filter working
Index(es):
- Chronological
- Thread