7:23 p.m.
Whats the best way to design my LDAP for use by multiple apps?
I need to be able to tell if a user if a member of different apps to allow access. I
started by adding custom attributes for each app, boolean and such, and that works fine
but somehow just doesn't feel right.
Now I'm experimenting with Groups. I have a few Groups setup of objectClass
groupOfNames and I've added "member"s to them...the problem is I can't
seem to find an ldapsearch that returns a list of users for a particular group. What am I
missing here? This query was the closest I came as it returns the list of member
attributes:
/usr/bin/ldapsearch -h 127.0.0.1 -x -b "dc=mydomain,dc=com"
"(&(objectclass=groupOfNames)(cn=GroupA))"
Perhaps I am misunderstanding that ldap can do what I'm asking...(???)
Would I be better off with the custom attributes on my Users ou? I also need to consider
that we need to provide access to seveal admins for maintenance, so we need to make sure
one admin can't change the application access that they shouldn't be. Should we
have a seperate branch for each app then???
tia,
Kevin
9:28 a.m.
Hi!
2011/8/11 <criderkevin(a)aol.com>:
I need to be able to tell if a user if a member of different apps to
allow
access. I started by adding custom attributes for each app, boolean and
such, and that works fine but somehow just doesn't feel right.
Not sure if it's the best way, but we have added a custom attribute to
our users (enabledService). It is a multi-value (string) attribute
that apps check to grant access.
dn: uid=nbensa,ou=users,dc=....
enabledService: login
enabledService: mail
enabledService: ....
Then the application (mail for example) just search
"(&(uid=$username)(enabledService=mail))" and if it gets a result, it
grants access to the user (if the passwd is right of course :-) )
We also added "accountActive" (TRUE|FALSE) so we can enable or disable
access to all services in just one operation.
HTH,
Norberto
10:05 a.m.
criderkevin(a)aol.com wrote:
Whats the best way to design my LDAP for use by multiple apps?
I need to be able to tell if a user if a member of different apps to allow
access. I started by adding custom attributes for each app, boolean and such,
and that works fine but somehow just doesn't feel right.
There's nothing wrong with that. It also depends on what your applications
support.
Now I'm experimenting with Groups. I have a few Groups setup of
objectClass
groupOfNames and I've added "member"s to them...
Depending on how your applications use group entries with multi-valued
membership attribute this does not scale well for many users (100000+). How
many users do you expect at maximum in one group?
the problem is I can't seem to
find an ldapsearch that returns a list of users for a particular group. What
am I missing here? This query was the closest I came as it returns the list of
member attributes:
/usr/bin/ldapsearch -h 127.0.0.1 -x -b "dc=mydomain,dc=com"
"(&(objectclass=groupOfNames)(cn=GroupA))"
Perhaps I am misunderstanding that ldap can do what I'm asking...(???)
If you want to use groupOfNames and also query the list of group members then
probably slapo-memberof is what you're looking for:
http://www.openldap.org/doc/admin24/overlays.html#Reverse%20Group%20Membe...
Ciao, Michael.
3976
days inactive
3976
days old
openldap-technical@openldap.org
2 comments
3 participants
participants (3)
-
criderkevin@aol.com -
Michael Ströder -
zoolook