Re: LDAP hierarchy mapping

[Francesco Chicchiriccò <il...@apache.org>]

On 03/04/2018 20:29, varontron wrote:
> Hi,
>
> Wondering about the best way to map an ldap hierarchy in 2.0.8...
>
> Use Case:
> -----------
> All P and S entities are instances of 'groupOfNames' ObjectClasses, with DNs
> like:
> cn=P1,ou=groups,dc=ldap,dc=example,dc=com
> cn=S3,cn=P1,ou=groups,dc=ldap,dc=example,dc=com
> cn=S3,cn=P2,ou=groups,dc=ldap,dc=example,dc=com
>
>
>
>
> I considered a flat mapping of users to each of the “P” level and “S” level,
> however that confounds the requirements.  For example, if UserA is a member
> of S3 and P2, and also S2 and P1, a flatter User-to-Group mapping would not
> be able to distinguish the restriction of UserA from S3/P1 stuff.  Only a
> pre-existing relationship between P and S level, that is then, in turn,
> mapped to the user seems to suffice.
>
> What is the most effective method for mapping this hierarchy in Syncope
> 2.0.8?
>
> Is there a jexl expression for ObjectLink which would preserve this
> relationship “as is” with a “cn” or each level (i.e., DN=“cn=S3,cn=P1,ou…?”
> or DN=“cn=S4,cn=P1,ou…”)
> Is “realms” the way to go, perhaps mapping all “P” levels to realms and “S”
> levels to GROUP types?
> Are custom anytypes (e.g., “P AnyType” an “S AnyType”) applicable?
> Some other option?
> You're doing it wrong?
>
> Any insight you can provide will be most helpful.


Not sure if you have solved in the meanwhile, but this should help:

https://syncope.apache.org/docs/reference-guide.html#object-link-realms-hierarchy

Regards.

-- 
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/