You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by Avneet Singh <fo...@gmail.com> on 2006/12/01 20:52:55 UTC
Re: Groups in LDAP - Query Algorithms
Hello
Requesting again to the experienced people on the matter to comment on my
earlier post on how I can handle integration of my app with existing groups
on LDAP server.
I have done research myself and based on that these are my findings but
I have not worked earlier with LDAP, so not sure.
I need to meet the deadline so any help would be great..
Thanks..
On 11/28/06, Avneet Singh <fo...@gmail.com> wrote:
>
> Are these algorithms good to find all kinds of groups/user info.
> Requirement - To be able to query existing user/group info from any kind
> of DS(Apache,Active Dir etc) having any kind of groups(Static, Dynamic
> etc)
>
> *getAllStaticGroups*()
> {
> Search: your root naming context
> Scope: subtree
> Filter: (&(objectclass=groupofuniquenames))//for any DS
> (&(objectclass=groupofnames))//for any DS
> (&(objectclass=group))//for active directory
> }
>
> *getAllDynamicGroups*()
> {
> Search: your root naming context
> Scope: subtree
> Filter: (&(objectclass=groupOfURLs))
> }
>
> *isMemberOfStaticGroup*(groupname,userdn)
> {
> Search: your root naming context
> Scope: subtree
> Filter:
> (&(objectclass=groupofuniquenames)(cn=groupname)(uniquemember=userdn))//for
> any DS
> (&(objectclass=groupofnames)(cn=groupname)(member=userdn))//for any DS
> (&(objectclass=group)(cn=groupname)(member=userdn))//for active
> directory
> }
>
> *isMemberOfDynamicGroup*(groupname,userdn)
> {
> Step 1: Search: your root naming context
> Scope: subtree
> Filter: (&(objectclass=groupOfURLs)(cn=groupname))
> Step 2: use 'memberURL' attribute to chk if user is in the group
> }
> If the above are not good, any pointers to already existing algo/program
> snippets would be helpful..
>
> Thanks
> Avneet Singh
>
>
>
> On 11/28/06, Stefan Zoerner <st...@labeo.de> wrote:
> >
> > Hi Avneet!
> >
> > Avneet Singh wrote:
> > > Thanks ..It was a great article, some general questions though-
> > >
> > > 1. The article was written a while back, are there any
> > > additions/updations to it somewhere on the Internet or does it still
> > > holds good.
> >
> > I know (and like) this article as well, it still holds true for many
> > directories which use these object classes. We have also adopted some
> > algorithms successfully to Active Directory, which uses other object
> > classes, but comparable concepts ...
> >
> > > 2. Is there no Java API to do simple group search rather than a
> > > developer going into the complexities of several different
> > possibilities
> > > of groups?
> > > 3. Actually ours is a java app which uses authentication from
> > customers
> > > ldap server. Till now we did not have concept of groups but we need to
> >
> > > support that now. Since our customers can have any kind of
> > pre-existing
> > > LDAP schema(and thus any kind of groups), I need to be able to support
> > > all kind of possibilities in groups. So I was trying to find some Java
> >
> > > API which hides the complexity of so many different possibles, how can
> > I
> > > achieve that?
> >
> > One option is to make the search filters used in the algorithm
> > configurable (as Tomcat in its JNDI Realm does, for instance).
> >
> > If you use JNDI, another option is to use object and/or state factories
> > to translate between directory entries for groups and Java objects,
> > which represent groups. Learn more about these (widely unknown) JNDI
> > feature here:
> >
> > http://java.sun.com/products/jndi/tutorial/objects/factory/index.html
> > http://java.sun.com/products/jndi/tutorial/objects/state/index.html
> >
> > The LDAP Booster Pack for JNDI already provides object and state
> > factories for RFC style groups. They may help (I am not certain, because
> > I do not know your requirements in detail -- for instance they do not
> > work with Active Directory, afaik).
> > You can download these classes here
> > http://java.sun.com/products/jndi/
> >
> > Perhaps two valid ideas, how to abstract from schema details.
> >
> > I hope this helps, Greetings from Frankfurt,
> > Stefan
> >
> >
>
>
> --
> Regds
> Avneet Singh
> 781-492-4449
--
Regds
Avneet Singh
781-492-4449