Are these algorithms good to find all kinds of groups/user info.
Requirement - To be able to query existing user/group info from any kind of DS(Apache,Active Dir etc) having any kind of groups(Static, Dynamic etc)

 Search: your root naming context
 Scope: subtree
 Filter: (&(objectclass=groupofuniquenames))//for any DS
  (&(objectclass=groupofnames))//for any DS
  (&(objectclass=group))//for active directory

 Search: your root naming context
 Scope: subtree
 Filter: (&(objectclass=groupOfURLs))

 Search: your root naming context
 Scope: subtree
 Filter: (&(objectclass=groupofuniquenames)(cn=groupname)(uniquemember=userdn))//for any DS
  (&(objectclass=groupofnames)(cn=groupname)(member=userdn))//for any DS
  (&(objectclass=group)(cn=groupname)(member=userdn))//for active directory

 Step 1: Search: your root naming context
  Scope: subtree
  Filter: (&(objectclass=groupOfURLs)(cn=groupname))
 Step 2: use 'memberURL' attribute to chk if user is in the group

If the above are not good, any pointers to already existing algo/program snippets would be helpful..
Avneet Singh

On 11/28/06, Stefan Zoerner <> wrote:
Hi Avneet!

Avneet Singh wrote:
> Thanks ..It was a great article, some general questions though-
> 1. The article was written a while back, are there any
> additions/updations to it somewhere on the Internet or does it still
> holds good.

I know (and like) this article as well, it still holds true for many
directories which use these object classes. We have also adopted some
algorithms successfully to Active Directory, which uses other object
classes, but comparable concepts  ...

> 2. Is there no Java API to do simple group search rather than a
> developer going into the complexities of several different possibilities
> of groups?
> 3. Actually ours is a java app which uses authentication from customers
> ldap server. Till now we did not have concept of groups but we need to
> support that now. Since our customers can have any kind of pre-existing
> LDAP schema(and thus any kind of groups), I need to be able to support
> all kind of possibilities in groups. So I was trying to find some Java
> API which hides the complexity of so many different possibles, how can I
> achieve that?

One option is to make the search filters used in the algorithm
configurable (as Tomcat in its JNDI Realm does, for instance).

If you use JNDI, another option is to use object and/or state factories
to translate between directory entries for groups and Java objects,
which represent groups. Learn more about these (widely unknown) JNDI
feature here:

The LDAP Booster Pack for JNDI already provides object and state
factories for RFC style groups. They may help (I am not certain, because
I do not know your requirements in detail -- for instance they do not
work with Active Directory, afaik).
You can download these classes here

Perhaps two valid ideas, how to abstract from schema details.

I hope this helps, Greetings from Frankfurt,

Avneet Singh