What is a good Ldap ObjectClass to use to store a user and it's membership

2018-06-21 16:24:59

I'm trying to create a Ldap schema for our users and groups (using ApacheDS but that should not matter)

Currently i have something like this

 (dc=company, dc=com)
   - ou : groups
      - GroupOfNames: cn=users
          -GON: cn subgroup A
              * member : uid = user1
      - GroupOfNames: cn=Admins
              * member : uid=admin

   - ou : users
       - InetOrgePerson uid="admin"
       - InetOrgePerson uid="user1"

Now the problem is I'm trying to connect a portal to use this schema for authentication/group membership.

The Portal wants the "user" to 'know' the groups it's member of (which is probably more efficient)

So I would need to have something like

- InetOrgePerson uid="admin"
    * memberOf : "cn=admin,cn=groups,cd=company,dc=com"

But inetOrgPerson does not allow any kind of memberOf attribute .... so my question is:

What kind of Ldap Object class can I use instead of inetOrgPerson that would allow a memberof attribute.

Well, the server does matter. Since there is no standard for getting group membership in the users entry.

I don't know if Apache DS supports the "memberOf" attribute. OpenDJ (opendj.org) or OpenDS, SunDSEE do support it via the "isMemberOf" attribute (and could be configured to return either name).

The isMemberOf (or memberOf) is an operational attribute and thus must be explicitly requested in the search query.

inetOrgPerson. You don't need a memberOf attribute. Just execute a search of the GroupOfNames 'member' attribute. This is how it is normally done.

链接地址: http://www.djcxy.com/p/60882.html

上一篇: OpenLDAP如何创建和使用inetOrgPerson的子对象类

下一篇: 什么是一个好的Ldap ObjectClass用来存储用户和它的成员资格