5

I am total LDAP newbie and I am just researching if I can use it for my next project or better stay away from it. The project will depend heavily on the concept of nested groups and I frequently need to know in which groups a user is (also in which supergroups), which users are in which group and how many people are in a group (including subgroups). I tried to read about nested groups in ldap but it is hard to find good literature on that topic. So far the best I found is: http://middleware.internet2.edu/dir/groups/docs/internet2-mace-dir-groups-best-practices-200210.htm which kind of recommends forward references.

Is there any other documentation describing nested group? By now I am not limited by an implementation so it can be e.g. openLDAP specific.

I am also open for all recommendations regarding nested groups.

Thanks, Markus

  • By "Group" do you mean LDAP groupOfNames / groupofUniqueNames objects, posixGroup objects, or something else? Also what's your current "nested groups" solution - that may give a clue as to what LDAP functionality you want to look at... – voretaq7 Mar 02 '10 at 15:57
  • It's a project that starts from scratch. So there is no current solution. If I use no LDAP, I'll possibly try a tree based database. The requirements are pretty basic: - groups should contain/reference users and other groups - users in subgroups should be returned when the corresponding supergroup is requested - The main client will be a custom webapplication - The layout should be as "standard" compatible as possible to connect e.g. mailclients to retrieve contact details. –  Mar 02 '10 at 16:10
  • If you are still looking at technologies active directory ( and by extension AD-LDS) has a filter to do what you are looking for. You would use LDAP_MATCHING_RULE_IN_CHAIN and it has an OID of 1.2.840.113556.1.4.1941. This rule allows us to search across all DN-syntax attributes recursively and evaluate the entire tree of relationships. – Jim B Mar 02 '10 at 17:47
  • related: [How are nested groups in LDAP normally implemented?](http://stackoverflow.com/questions/4607361) – Brad Mace Jan 31 '13 at 02:58
  • LDAP as implemented by Microsoft and Samba are very well equipped to handle nested groups. What trips up most people is that memberOf is a computed attribute. Further, primary group membership is actually an ID mapping and not actually 'first class' group membership. The danger in nested groups is circular membership and the unexpected results that leads can to. If your needs are not programmatic in nature, take a look at [Steelhive.com](https://www.steelhive.com). Our product, Carbon, is excellent at graphing and managing nested group membership. – Will Apr 06 '15 at 18:23

2 Answers2

2

Sounds like you could go with groupOfNames - that object contains a collection of LDAP Distinguished Names, so it can hold users and other groups without a problem. The caveat is unwinding the membership tree (and ensuring there are no cycles in it, or handling cycles gracefully) is the responsibility of your software.

I've never done the forward references thing myself (I prefer the "Group has these Members" approach above rather than "Member is in these Groups" - my brain has an easier time with it), but my group structures are typically discrete, non-nested memberships so there may be advantages I'm overlooking.

voretaq7
  • 79,345
  • 17
  • 128
  • 213
  • If I'll go this route and choose static groups, I can easily get all the member DNs using a search filter. But how would I proceed if I now would like to get the email adresses from all returned members? Iterating over the result and getting the desired attribute seems very costly. With forward referencing I can get everything in one call. –  Mar 04 '10 at 10:13
  • Sorry, my last comment was insufficient. I plan to have a "people" and a "groups" branch as every user can be in multiple groups. Therefor the ldapsearch can only return the member DNs that references the users in the people branch. –  Mar 04 '10 at 11:16
1

OpenLDAP can use nested groups in access control rules, explained in detail here: http://www.openldap.org/faq/data/cache/1133.html

Nested groups can also be used for linux logins when set up using the directions in this answer: dn-based linux groups from ldap

Whether other applications make use of nested groups is up to them. I know that Samba does, while Openfire does not. I've also created a set of PHP classes to allow our intranet applications to use nested groups. It wasn't exactly hard, it just took a little time.

Community
  • 1
Brad Mace
  • 1,006
  • 3
  • 17
  • 31