In Novell there is an attribute called GroupMembership that will get all the groups a
user is in. Try that. Here is my query
<CFLDAP NAME="GetGroups"
ACTION="Query"
SERVER="xxx.xxx.xxx.xxx"
ATTRIBUTES="groupMembership"
SCOPE="SUBTREE"
START="ou=campus,o=osu_mc"
FILTER="cn=#SESSION.LOGIN#">
<CFOUTPUT QUERY="GETGROUPS">
<CFSET member = '#GROUPMEMBERSHIP#'>
<CFIF #VARIABLES.MEMBER# IS NOT 0>
<CFLOCK TIMEOUT="30" NAME="#SESSION.SECUREDGROUP#">
<CFSET SESSION.SECUREDGROUP= '#MEMBER#'>
</CFLOCK>
</CFIF>
</CFOUTPUT>
>>> [EMAIL PROTECTED] 03/14/02 04:31PM >>>
Oops - guess I should read the _entire_ message next time.
How about a policy that groups should not be members of groups? In my experienc
e this is not a best practice, even if the system supports it.
Regards,
Kevin
>>> [EMAIL PROTECTED] 03/14/02 01:24PM >>>
I don't think there is a way to do it directly, but you could recursively search
down the group "hierarchy."
Kevin
>>> [EMAIL PROTECTED] 03/14/02 01:23PM >>>
Does anyone know an easy way to use CFLDAP to get all groups that a user is
a member of, regardless of how many levels deep the group may be? The way
our active directory is set up is that a UserA can be a member of GroupA and
GroupA can be a member of GroupB. Therefore UserA is by defnition a member
of GroupB, and inherits all those security rights. But, the CFLDAP query
that I am using only returns groups that a user is a direct member of.
Example:
<cfldap action="query"
server="#session.ldap_server#"
username="#session.ldap_username#"
password="#session.ldap_password#"
name="qry"
attributes="memberOf"
start="#session.ldap_top#"
scope="subtree"
separator="|"
filter="(sAMAccountName=UserA)">
This call would return only GroupB.
I wrote a big, ugly algorithm that recurses through all the levels and does
indeed get all the groups, but it has two faults:
1) It takes a long time to run (about 5 seconds average)
2) It doesn't account (not yet at least) for the way LDAP allows funky
nesting, (i.e. GroupA is a member of GroupB. GroupB is a member of GroupC.
GroupC is a member of GroupA) and I end up with the famous
"bring-the-server-to-its-knees" infinite loop. Of course, the infinte loop
problem would never be done on purpose, but I need to account for it in the
rare case that the Active Directory admins do something crazy like that.
Any help is greatly appreciated.
Thanks,
Tony
______________________________________________________________________
Why Share?
Dedicated Win 2000 Server � PIII 800 / 256 MB RAM / 40 GB HD / 20 GB MO/XFER
Instant Activation � $99/Month � Free Setup
http://www.pennyhost.com/redirect.cfm?adcode=coldfusionc
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
