Transcript Group and Member objects

Grouper Training
Developers and Architects
LDAP
Shilen Patel
Duke University
This work licensed under a Creative Commons Attribution-NonCommercial 3.0 Unported License.
Contents
•
•
•
•
•
•
•
Introduction
Advantages and disadvantages
Flat vs bushy structure
Group and Member objects – Active Directory
Group and Member objects – OpenLDAP
Other group attributes
Flattened memberships vs direct
memberships only
• Tips on performing queries
2
Introduction
3
Introduction (continued)
•
Example LDAP structure.
•
dc=example,dc=edu
• ou=people
– uid=bob
» uid: bob
» givenName: Bob
» sn: Smith
» displayName: Bob Smith
» memberOf: cn=staff,ou=employees,ou=groups,dc=example,dc=edu
– uid=john
• ou=groups
• ou=employees
- cn=staff
» cn: staff
» description: All staff at the institution
» member: uid=bob,ou=people,dc=example,dc=edu
» member: uid=john,ou=people,dc=example,dc=edu
- cn=faculty
4
Advantages and disadvantages
• Advantages
• Integration with third party applications.
• Performance
• High availability
• Disadvantages
• Read only
• Handling privileges
5
Flat vs bushy structure
• Flat
• Bushy
cn is typically the full
group name (ID Path)
Each ou represents a
Grouper folder. The value
is the stem extension
(Folder ID)
cn is typically the group
extension (ID)
6
Group and Member objects – Active
Directory
• Group objects
• Group object class is “group”.
• sAMAccountName attribute – May be
generated directly by AD or as part of the
group provisioning.
• member attribute – LDAP entry DNs of
subjects that are members of the group.
7
Group and Member objects – Active
Directory (continued)
• Member objects
• memberOf attribute – LDAP entry DNs of
groups that this subject is a member of. This
is a computed attribute.
8
Group and Member objects –
OpenLDAP
• Group objects
• Group object class is “groupOfNames” by default.
May also use eduMember.
• hasMember attribute – names of subjects that are
members of the group.
• isMemberOf attribute – names of groups that this
group is a member of.
• member attribute – LDAP entry DNs of subjects that
are members of the group.
• memberOf attribute – LDAP entry DNs of groups that
this group is a member of.
9
Group and Member objects –
OpenLDAP (continued)
• Member objects
• isMemberOf – names of groups that this subject
is a member of.
• memberOf – LDAP entry DNs of groups that this
subject is a member of.
10
Other Group Attributes
• Any group attribute in Grouper can be provisioned
to an attribute in LDAP.
• For instance, a group’s description may be kept in
the description attribute in LDAP.
11
Flattened memberships vs direct
memberships only
• Depending on how LDAP is provisioned, a group’s
member attribute may be based on a flattened list
(direct and indirect) or only contain direct members.
• If only direct memberships are provisioned and a group
has another group as a member, then the first group
will still have the second group’s DN in its member list.
But applications have to take that into account when
performing queries.
• Note that if you need to get all (direct and indirect) groups
for a person, some directories (such as AD and Oracle
DSEE) can automatically get indirect memberships to avoid
multiple calls to the LDAP server.
12
Tips on Performing Queries
• Set the search base correctly.
• Set the scope correctly.
• Base
• One
• Subtree
• Be aware of client and server limits (e.g. size limit and time
limit).
13
Tips on Performing Queries
(continued)
• If you want to see if a person is in a group (and flattened
memberships are provisioned), you can:
• Get all of the group’s members by retrieving the member attribute
of the group object. (Likely bad for performance.)
• Get all of the person’s groups by retrieving the memberOf attribute
of the member object. (Could be bad for performance.)
• Perform a (member=DN) query with a search base of the group’s
DN without retrieving the member attribute.
• Use the LDAP compare operation to see if the group object
contains an attribute/value pair. The attribute would be “member”
and the value would be the DN of the member object.
14
Quiz
Click on the quiz link in the video
description to reinforce your knowledge of
this topic.
15
Thanks!
Further information:
•
Infosheets, mailing lists, wiki, downloads, etc.:
www.internet2.edu/grouper
•
Grouper demo server:
grouperdemo.internet2.edu/
•
Grouper Online Training Home:
spaces.internet2.edu/x/IIGfAQ
This work licensed under a Creative Commons Attribution-NonCommercial 3.0 Unported License.
16