directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Avneet Singh" <foravn...@gmail.com>
Subject Re: Groups in LDAP - Query Algorithms
Date Wed, 29 Nov 2006 02:10:55 GMT
Are these algorithms good to find all kinds of groups/user info.
Requirement - To be able to query existing user/group info from any kind of
DS(Apache,Active Dir etc) having any kind of groups(Static, Dynamic etc)

*getAllStaticGroups*()
{
 Search: your root naming context
 Scope: subtree
 Filter: (&(objectclass=groupofuniquenames))//for any DS
  (&(objectclass=groupofnames))//for any DS
  (&(objectclass=group))//for active directory
}

*getAllDynamicGroups*()
{
 Search: your root naming context
 Scope: subtree
 Filter: (&(objectclass=groupOfURLs))
}

*isMemberOfStaticGroup*(groupname,userdn)
{
 Search: your root naming context
 Scope: subtree
 Filter:
(&(objectclass=groupofuniquenames)(cn=groupname)(uniquemember=userdn))//for
any DS
  (&(objectclass=groupofnames)(cn=groupname)(member=userdn))//for any DS
  (&(objectclass=group)(cn=groupname)(member=userdn))//for active directory
}

*isMemberOfDynamicGroup*(groupname,userdn)
{
 Step 1: Search: your root naming context
  Scope: subtree
  Filter: (&(objectclass=groupOfURLs)(cn=groupname))
 Step 2: use 'memberURL' attribute to chk if user is in the group
}
If the above are not good, any pointers to already existing algo/program
snippets would be helpful..

Thanks
Avneet Singh



On 11/28/06, Stefan Zoerner <stefan@labeo.de> wrote:
>
> Hi Avneet!
>
> Avneet Singh wrote:
> > Thanks ..It was a great article, some general questions though-
> >
> > 1. The article was written a while back, are there any
> > additions/updations to it somewhere on the Internet or does it still
> > holds good.
>
> I know (and like) this article as well, it still holds true for many
> directories which use these object classes. We have also adopted some
> algorithms successfully to Active Directory, which uses other object
> classes, but comparable concepts  ...
>
> > 2. Is there no Java API to do simple group search rather than a
> > developer going into the complexities of several different possibilities
> > of groups?
> > 3. Actually ours is a java app which uses authentication from customers
> > ldap server. Till now we did not have concept of groups but we need to
> > support that now. Since our customers can have any kind of pre-existing
> > LDAP schema(and thus any kind of groups), I need to be able to support
> > all kind of possibilities in groups. So I was trying to find some Java
> > API which hides the complexity of so many different possibles, how can I
> > achieve that?
>
> One option is to make the search filters used in the algorithm
> configurable (as Tomcat in its JNDI Realm does, for instance).
>
> If you use JNDI, another option is to use object and/or state factories
> to translate between directory entries for groups and Java objects,
> which represent groups. Learn more about these (widely unknown) JNDI
> feature here:
>
> http://java.sun.com/products/jndi/tutorial/objects/factory/index.html
> http://java.sun.com/products/jndi/tutorial/objects/state/index.html
>
> The LDAP Booster Pack for JNDI already provides object and state
> factories for RFC style groups. They may help (I am not certain, because
> I do not know your requirements in detail -- for instance they do not
> work with Active Directory, afaik).
> You can download these classes here
> http://java.sun.com/products/jndi/
>
> Perhaps two valid ideas, how to abstract from schema details.
>
> I hope this helps, Greetings from Frankfurt,
>     Stefan
>
>


-- 
Regds
Avneet Singh
781-492-4449

Mime
View raw message