How to handle nested groups in LDAP

ldap openldap

Solution 1:

Sounds like you could go with groupOfNames - that object contains a collection of LDAP Distinguished Names, so it can hold users and other groups without a problem. The caveat is unwinding the membership tree (and ensuring there are no cycles in it, or handling cycles gracefully) is the responsibility of your software.

I've never done the forward references thing myself (I prefer the "Group has these Members" approach above rather than "Member is in these Groups" - my brain has an easier time with it), but my group structures are typically discrete, non-nested memberships so there may be advantages I'm overlooking.

Solution 2:

OpenLDAP can use nested groups in access control rules, explained in detail here: http://www.openldap.org/faq/data/cache/1133.html

Nested groups can also be used for linux logins when set up using the directions in this answer: dn-based linux groups from ldap

Whether other applications make use of nested groups is up to them. I know that Samba does, while Openfire does not. I've also created a set of PHP classes to allow our intranet applications to use nested groups. It wasn't exactly hard, it just took a little time.

Related

ESX hosts lose connectivity with iSCSI SAN LUNs
sendmail on ubuntu (9.10) machine "stopped" sending mail
How to Set Linux Bonding Interface to Gigabit
Allow and restrict remote sql server access
Log every IP connecting on a system with iptables
Web-based (intranet / non-hosted) timesheet / project tracking tools
How to back up HP recovery partition
Recover backup copy of a ubuntu linux installation on a usb stick using dd
What does the number after 7-zip's -m switch mean?
What is windows way to do `mount -o loop,rw,offset=X`?
default file permissions for ftp uploads in ubuntu (vsftpd)
Do Thunderbolt monitors use the multiplexed DisplayPort signal?