[email protected] wrote: > Whats the best way to design my LDAP for use by multiple apps? > > I need to be able to tell if a user if a member of different apps to allow > access. I started by adding custom attributes for each app, boolean and such, > and that works fine but somehow just doesn't feel right.
There's nothing wrong with that. It also depends on what your applications support. > Now I'm experimenting with Groups. I have a few Groups setup of objectClass > groupOfNames and I've added "member"s to them... Depending on how your applications use group entries with multi-valued membership attribute this does not scale well for many users (100000+). How many users do you expect at maximum in one group? > the problem is I can't seem to > find an ldapsearch that returns a list of users for a particular group. What > am I missing here? This query was the closest I came as it returns the list of > member attributes: > > /usr/bin/ldapsearch -h 127.0.0.1 -x -b "dc=mydomain,dc=com" > "(&(objectclass=groupOfNames)(cn=GroupA))" > > Perhaps I am misunderstanding that ldap can do what I'm asking...(???) If you want to use groupOfNames and also query the list of group members then probably slapo-memberof is what you're looking for: http://www.openldap.org/doc/admin24/overlays.html#Reverse%20Group%20Membership%20Maintenance Ciao, Michael.
