[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: return an attribute of all users belonging to a group

To: Stefan Seelmann <mail@stefan-seelmann.de>
Subject: Re: return an attribute of all users belonging to a group
From: George Mamalakis <mamalos@eng.auth.gr>
Date: Sun, 17 Apr 2011 20:24:36 +0300
Cc: openldap-technical <openldap-technical@openldap.org>
In-reply-to: <BANLkTi=ndr+8XgFmZrgOdGBcYDc=ugPVkA@mail.gmail.com>
References: <4DAABBF6.2090006@eng.auth.gr> <BANLkTi=ndr+8XgFmZrgOdGBcYDc=ugPVkA@mail.gmail.com>
User-agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.2.13) Gecko/20110109 Lightning/1.0b2 Thunderbird/3.1.7

On 17/04/2011 14:03, Stefan Seelmann wrote:

Hi George,

On Sun, Apr 17, 2011 at 12:07 PM, George Mamalakis<mamalos@eng.auth.gr>  wrote:

Dear all,

I have a question regarding my openldap DIT design. My design so far is
based on the model: ou=people,dc=example,dc=com. It is very possible that
I'll have to be able to find attributes of people belonging to some specific
group (eg, student, postgrad, etc). The easiest way to address this issue
for me would be to branch my DIT like this:

ou=undergrads,ou=people,dc=example,dc=com and
ou=postgrads,ou=people,dc=example,dc=com. On the other hand, I have several
classes that I would like to distinguish my users to apart from this (like
stuff, student, professors, etc.) but further sub-brunching shows to me that
there's something wrong with my design (since those classes may dynamically
change in the future).

As a second solution I thought that it would be very easy to make my users
in ou=people,dc=example,dc=com belong to some group located in
ou=groups,dc=example,dc=com. This way I feel much more flexible in making
such classifications, but my problem is how to formulate ldapsearch filters
so as to return an attribute of some user only if the specific user belongs
to one or more of my groups (for example to find all email accounts from my
people that belong to the undergrads group).

A third approach is to to store the group as attribute in the user
entries. The eduPerson schema [1] should fit your needs. Add the
eduPerson object class to your user entries and use the
eduPersonAffiliation multi-valued attribute to add the groups.

Kind Regards,
Stefan

[1] http://middleware.internet2.edu/eduperson/

Stefan,

thank you very much for your advise. I had already included theeduperson schema in my configuration, but I had never seen thisattribute in use. I will definitely take advantage of it, now that youtold me its use.


Thanks again for your help,

regards,

George.

--
George Mamalakis

IT Officer
Electrical and Computer Engineer (Aristotle Un. of Thessaloniki),
MSc (Imperial College of London)

Department of Electrical and Computer Engineering
Faculty of Engineering
Aristotle University of Thessaloniki

phone number : +30 (2310) 994379

References:
- return an attribute of all users belonging to a group
  - From: George Mamalakis <mamalos@eng.auth.gr>

Prev by Date: return an attribute of all users belonging to a group
Next by Date: Re: return an attribute of all users belonging to a group
Index(es):
- Chronological
- Thread