[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Does OpenLDAP 2.4 support nested group

--On Thursday, July 26, 2012 06:43:13 PM +0800 Qian Zhang <zhq527725@gmail.com> wrote:


I'd like to know in OpenLDAP 2.4, if I create a group (objectClass is
posixGroup), is it possible that I create another group as the member
of this group?
Or I have to do this with group which has groupOfNames as its objectClass?

It really is not a question of whether or not it is possible to create
nested structures in LDAP.  It definitely is possible to create entries
that contain pointers to other entries.  The questions is will the
applications that access those entries traverse the linked entries.
In the case of posixGroups, the software that I am familiar with is
written with the assumption that all of the members of a group are
present in the memberUID values in the entry.

One thing to keep in mind if you do create a nested structure for your
application is that it will be expense to determine if a individual is
a member of a group.  To determine if an individual is a member of a
group can require that the group be at least partially exploded using
multiple searches, and to make sure that an individual is not a member
of a group will require that the group be completely exploded.



Bill MacAllister
Infrastructure Delivery Group, Stanford University