criderkevin@aol.com wrote:
Whats the best way to design my LDAP for use by multiple apps?
I need to be able to tell if a user if a member of different apps to allow access. I started by adding custom attributes for each app, boolean and such, and that works fine but somehow just doesn't feel right.
There's nothing wrong with that. It also depends on what your applications support.
Now I'm experimenting with Groups. I have a few Groups setup of objectClass groupOfNames and I've added "member"s to them...
Depending on how your applications use group entries with multi-valued membership attribute this does not scale well for many users (100000+). How many users do you expect at maximum in one group?
the problem is I can't seem to find an ldapsearch that returns a list of users for a particular group. What am I missing here? This query was the closest I came as it returns the list of member attributes:
/usr/bin/ldapsearch -h 127.0.0.1 -x -b "dc=mydomain,dc=com" "(&(objectclass=groupOfNames)(cn=GroupA))"
Perhaps I am misunderstanding that ldap can do what I'm asking...(???)
If you want to use groupOfNames and also query the list of group members then probably slapo-memberof is what you're looking for:
http://www.openldap.org/doc/admin24/overlays.html#Reverse%20Group%20Membersh...
Ciao, Michael.