criderkevin(a)aol.com wrote:
Whats the best way to design my LDAP for use by multiple apps?
I need to be able to tell if a user if a member of different apps to allow
access. I started by adding custom attributes for each app, boolean and such,
and that works fine but somehow just doesn't feel right.
There's nothing wrong with that. It also depends on what your applications
support.
Now I'm experimenting with Groups. I have a few Groups setup of
objectClass
groupOfNames and I've added "member"s to them...
Depending on how your applications use group entries with multi-valued
membership attribute this does not scale well for many users (100000+). How
many users do you expect at maximum in one group?
the problem is I can't seem to
find an ldapsearch that returns a list of users for a particular group. What
am I missing here? This query was the closest I came as it returns the list of
member attributes:
/usr/bin/ldapsearch -h 127.0.0.1 -x -b "dc=mydomain,dc=com"
"(&(objectclass=groupOfNames)(cn=GroupA))"
Perhaps I am misunderstanding that ldap can do what I'm asking...(???)
If you want to use groupOfNames and also query the list of group members then
probably slapo-memberof is what you're looking for:
http://www.openldap.org/doc/admin24/overlays.html#Reverse%20Group%20Membe...
Ciao, Michael.