Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What type of group to choose in OpenLDAP for grouping users

Tags:

ldap

openldap

I need to know what kind of group should I use for grouping users in LDAP.

I basically need the function MemberOf, to get some permissions based on groups membership.

Example:

  • Users
    • User 1
    • User 2
    • User 3
  • Groups
    • Group 1
    • Group 2

User 1 is member of Group 1 and Group 2.

The groups need to be dynamic, like Active Directory.

The questions comes because I have these for choose:

Samba: Group Mapping

User Group

Generic: Posix Group

The same goes for Users, which one should I choose?

Generic: User Account

Samba: Account

I can't find a good site where the differences are shown, any link will be much appreciated.

like image 609
JorgeeFG Avatar asked Apr 04 '13 17:04

JorgeeFG

People also ask

What is LDAP user group?

LDAP is the Lightweight Directory Access Protocol. It's a hierarchical organization of Users, Groups, and Organisational Units - which are containers for users and groups. Every object has it's own unique path to it's place in the directory - called a Distinguished Name, or DN.

What is the LDAP for group name?

Specifies the naming attribute for a group container, if groups resides in a container. Otherwise, this attribute is left empty. For example, if a group DN of cn=group1,ou=groups,dc=iplanet,dc=comresides in ou=groups, then the group container naming attribute is ou.

1 Answers

LDAP/X.500 defines only group objects which have member attributes, the inverse relation where a user object has a memberof attribute in OpenLDAP can be achieved with the memberof overlay. NDS/eDir and AD make this happen by magic. LDAP proper does not define dynamic bi-directional member/group objects/attributes. Related to that overlay is the refint overlay which helps complete the illusion (and also addresses the mildly irritating problem of a group always requiring at least one member).

There are generally two interesting group types to pick, groupOfNames or groupOfUniqueNames, the first one GroupOfNames is suitable for most purposes. The latter, groupOfUniqueNames, has a slightly esoteric feature: it allows the member DN to contain a numeric UID suffix, to preserve uniqueness of members across time should DNs be reassigned to different entities. Neither form enforces unique DNs in the list of members.

Other types of groups have distinct purposes (defined by schema and application). A less common group-type object is RFC 2256 roles (organizationalRole type, with roleOccupant attribute), this is implicitly used for role-based access control, but is otherwise similar to the other group types (thanks to EJP for the tip).

The posixGroup type represents the conventional unix groups, identified by a gidNUmber and listing memberUid's. It is not a general purpose group object in the DIT, it's up to the application (i.e. the LDAP client layer) to implement/observe it.

When it comes to user accounts, account object-types should not be thought of as exclusive, each type typically adds attributes to a user object in a compatible way (though an objectClass can be exclusive if it's structural, that's not something you'll often have to worry about generally).

like image 161
mr.spuratic Avatar answered Oct 11 '22 15:10

mr.spuratic
Sign in to Comment

Related questions

How do I query LDAP from C# to resolve Oracle TNS hostname while using managed ODP.NET?
Create users in LDAP using Django
getting user details from AD is slow
Gitlab Ldap Authentication Settings
Importing LDAP users into django database
Search ActiveDirectory using full name in C#?
ldap3 python search members of a group and retrieve their sAMAcountName (Active Directory)
ldap_modify: Other (e.g., implementation specific) error (80) [closed]
Why aren't companies using LDAP as a central repository for other than users?
LDAP user password authentication using JNDI
How do I filter an LDAP query for groups containing a specific user?
Disabling SSL Certificate Validation for Active Directory server using spring-ldap 1.3.1
How does single sign-on (SSO) work with PHP + Apache against an Active Directory for transparent authentication?
Implement a Tomcat Realm with LDAP authentication and JDBC authorization
Active Directory: Search for only user objects
Phpldapadmin does not work for an unknown reason
Testing ldap connection
Finding CN of users in Active Directory
Best way to quickly determine whether a user account is a member of an AD group?
Ldap server for developer

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!