[ldap] Fw: Re: LDAP Group Attribute using Java

[Alex Karasulu <ao...@bellsouth.net>]

Robb,

I think you had asked for a good synopsis of how to handle groups
before.  Gio has done a good job of describing it in this email 
here:

Alex

> -----Original Message-----
> From: Giovanni Baruzzi [mailto:giovanni.baruzzi@syntlogo.de]
> Sent: Monday, December 29, 2003 11:51 AM
> To: hugo@hch.com.ar
> Cc: ldap@umich.edu
> Subject: [ldap] Re: LDAP Group Attribute using Java
> 
> Dear Roberto,
> 
> 
> first of all there are two or three flavours of groups in LDAP.
> It is left up to you, and the software that you use, which is the right
> one.
> 
> 1. The first flavour is the object class groupOfNames, with the sibling
> groupOfUniqueNames.
> In this approach, you use the attribute "member" (or "uniqueMember" for
> the groupOfUniqueNames) to SIMPLY LIST THE DNs of all members.
> As you know an attribute can have many values and this feature can be
> applied with success to list the members of the group.
> Remember the list contains in this case the distinguished names of the
> members. This may be different in other cases.
> You may use the filter (&(member=<user DNs>)(objectclass=groupOfNames))
> or (&(uniqueMember=<user DNs>)(objectclass=groupOfUniqueNames))
> Specifiyng to retunr ONLY THE DN, to avoid the transmission of the
> complete object, which can be quite big
> 
> 
> 2. posixGroup: the implementation with the posixGroup defindes in the
> rfc2307, is very similar to the groupOfNames. Instead of the
> distinguished names here just the user ID is being listed. What "user
> ID" is, is up to you to define. In a further relase of rfc2307
> (rfc2307bis), not officially published, the "user ID" has be replaced by
> the distinguished name.
> Use similar query as in the approach 1.
> 
> 3. Dynamic groups: these groups are not instantiated by a physical
> object as they are just the result of a query on a few attribute values.
> As these group are easy to administer, they can have relatively long
> query times.
> As for the query, just look in the documentation of the LDAP Server
> supporting the dynamic groups. Not every server supports it, however.
> 
> 
> 4. groups built on attributes like "memberOf" or other, specialised
> attributes. Special cases of the approach 3. These specialised
> attributes are often supported by the LDAP Server itself, obviating the
> problem of long query times.
> The simple query of the object will return all the values of this
> attribute an hence all the groups where the use is member.
> 
> Security: If you need high security, use the approaches 1. and 2. With
> simple ACLs you may assign the right to grant membership to a group just
> to a single administrator without impacting the security of other
> groups. If you don't have this requirement, the approaches 3. and 4. may
> do as well.
> 
> Applications: take into account what your applications needs: apache
> (mod_auth_ldap) needs style 1. groups, PAM (pluggable Authentication
> Modules) needs 2., other applications like e.g. IBM WebSphere needs style
> 1.
> Microsoft applications tend to like the 4. style.
> 
> 
> Of course the topic can be further discussed, with the need of group
> "cascading" (i.e. chaining of group memership), mixing the models and so
> on, but this is beyhond the scope of a mailing list message.
> 
> Best Regards
> Giovanni
> 
> 
> 
> 
> Hugo Roberto COLOMBO wrote:
> 
> > Dear Sir / Madame,
> >
> >     I´m trying to develp a java code, where  I can get information
> > related to a "ldap member", as You can see in program code fragment
> > stated below.
> >
> >    In RED wirtting You can see the main part (not the main method )
> > which is working correctly in order to get a User Attribute such as the
> > User e'mail address, but the fact is that I´m needing to stablish a
> > Group User  Membership, and as I only can validate a User for accesing
> > the LDAP, so I really don´t know how can I take some knowledge about
> > User Group Membership.
> >
> >                  If You can help me I´ll be very Grateful with You.
> >
> >                       Merry Xmas and Happy New Year.
> >                                           your Sincerously Hugo COLOMBO
> >
> >
> >
> > import java.io.*;
> > import java.util.*;
> > import java.text.*;
> > import javax.mail.*;
> > import javax.servlet.*;
> 
> 
> ---
> You are currently subscribed to ldap@umich.edu as: [aok123@bellsouth.net]
> To unsubscribe send email to ldap-request@umich.edu with the word
> UNSUBSCRIBE as the SUBJECT of the message.