directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Linus van Geuns <li...@vangeuns.name>
Subject Re: memberOf attribute
Date Sun, 07 Mar 2010 13:25:10 GMT
Hi!

On Sun, Mar 7, 2010 at 1:44 PM, Stefan Zoerner <stefan@labeo.de> wrote:
> Hi Bill,
>
> Bill Keirskie wrote:
>>
>> I have a web application that I am trying to authenticate to ApacheDS.
>>  The web application can authenticate the user against ApacheDS, but cannot
>> obtain a list of groups the user belohas membership to.  Upon login, the web
>> application syncs the user's groups with it's internal database for role
>> based permissions based on the LDAP groups.  That way, user and group
>> membership is managed at the LDAP server and not by the application.  The
>> web application has a configuration of <attribute mode='memberOf'
>> name='ou=WebAppUserAccounts,dc=example,dc=net'/>.  I can change the memberOf
>> to whatever objectclass it needs to be, but so far, nothing has worked.
>>  I've tried "isMemberOf", "member" "uniqueMember", and a few others.  I can
>> make this work against Active Directory, but I would like to use ApacheDS
>> for this particular project.
>
> I am still not quite sure what you are exactly doing. The ApacheDS side
> seems to be clear (although version number, OS etc. would be nice), but what
> type of web application server are you using? Is it a Java EE web
> application created by you (or 3rd party?) deployed on a Java EE compliant
> server (which one)? The configuration line

I guess, your web app was designed for M$ Active Directory, as it
stores group memberships in the groups object AND in the users object
using 'memberOf' attribute.

Standard LDAP only stores group membership in the group objects. So if
you want all the groups your user belongs to and your groups are of
class 'groupOfNames' you need to search for every _group_ _object_
containing the user objects distinguished name as a value of it's
'member' attribute.

So, you will need to do two LDAP searches:
1.) find user object
2.) find all group objects containing user objects distinguished name
as value of attribute member

Hope, this helped..

Regards, Linus

Mime
View raw message