Whats the best way to design my LDAP for use by multiple apps?
I need to be able to tell if a user if a member of different apps to allow access. I started by adding custom attributes for each app, boolean and such, and that works fine but somehow just doesn't feel right.
Now I'm experimenting with Groups. I have a few Groups setup of objectClass groupOfNames and I've added "member"s to them...the problem is I can't seem to find an ldapsearch that returns a list of users for a particular group. What am I missing here? This query was the closest I came as it returns the list of member attributes:
/usr/bin/ldapsearch -h 127.0.0.1 -x -b "dc=mydomain,dc=com" "(&(objectclass=groupOfNames)(cn=GroupA))"
Perhaps I am misunderstanding that ldap can do what I'm asking...(???)
Would I be better off with the custom attributes on my Users ou? I also need to consider that we need to provide access to seveal admins for maintenance, so we need to make sure one admin can't change the application access that they shouldn't be. Should we have a seperate branch for each app then???
tia,
Kevin
Hi!
2011/8/11 criderkevin@aol.com:
I need to be able to tell if a user if a member of different apps to allow access. I started by adding custom attributes for each app, boolean and such, and that works fine but somehow just doesn't feel right.
Not sure if it's the best way, but we have added a custom attribute to our users (enabledService). It is a multi-value (string) attribute that apps check to grant access.
dn: uid=nbensa,ou=users,dc=.... enabledService: login enabledService: mail enabledService: ....
Then the application (mail for example) just search "(&(uid=$username)(enabledService=mail))" and if it gets a result, it grants access to the user (if the passwd is right of course :-) )
We also added "accountActive" (TRUE|FALSE) so we can enable or disable access to all services in just one operation.
HTH, Norberto
criderkevin@aol.com wrote:
Whats the best way to design my LDAP for use by multiple apps?
I need to be able to tell if a user if a member of different apps to allow access. I started by adding custom attributes for each app, boolean and such, and that works fine but somehow just doesn't feel right.
There's nothing wrong with that. It also depends on what your applications support.
Now I'm experimenting with Groups. I have a few Groups setup of objectClass groupOfNames and I've added "member"s to them...
Depending on how your applications use group entries with multi-valued membership attribute this does not scale well for many users (100000+). How many users do you expect at maximum in one group?
the problem is I can't seem to find an ldapsearch that returns a list of users for a particular group. What am I missing here? This query was the closest I came as it returns the list of member attributes:
/usr/bin/ldapsearch -h 127.0.0.1 -x -b "dc=mydomain,dc=com" "(&(objectclass=groupOfNames)(cn=GroupA))"
Perhaps I am misunderstanding that ldap can do what I'm asking...(???)
If you want to use groupOfNames and also query the list of group members then probably slapo-memberof is what you're looking for:
http://www.openldap.org/doc/admin24/overlays.html#Reverse%20Group%20Membersh...
Ciao, Michael.
openldap-technical@openldap.org
-
criderkevin@aol.com -
Michael Ströder -
zoolook