Re: Finding all user groups without knowing how groups are defined

["David E. Storey" <dave@tamos.net>]

Fu, Jing posed:

> Is there a way for a generic software to enumerate all the user groups in a
> directory, without knowing how the groups are defined and how the directory
> is structured?  I read from somewhere that there are at least 4 different
> schemes of defining user groups (or whatever groups):
>
>         1. Let each ou double as a group.
>         2. Represent each group as a groupOfNames or groupOfUniqueNames
> object, and the group object has a list of attributes that indicates the
> group members.
>         3. put a memberOfGroup attribute in each member of the group
>         4. Define groups based on dynamic search rules
>
> And these schemes may be combined or used in parallel.  Of course some
> schemes may turn out to be better than the others, but I'd assume each has a
> large number of followers.  Since I will have no influence to and no
> knowledge of how my customers would configure their directories, I want to
> make my program as general and adaptive as possible in terms of user groups.
> But it seems to be quite a mess, and I'm still not sure where I should
> start.  Any suggestions?
>
> Another question is, how can I tell, efficiently, if a group is for users or
> for something else like printers or other resources?

This sounds like it would be best handled using objectclasses.  You could
create an object class called 'usergroup' and then associate your user groups
with this class.  A search would be as simple as filtering on the objectclass:

ldapsearch -b dc=my,dc=domain objectclass=usergroup

d!