[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: creating user groups with OpenLDAP the Active Directory way



Pieter wrote:

Hello,

I have been looking in the archives for a solution to this but didn't
find anything up to now.

My setup:
Debian Linux with slapd 2.1.30-3
phpBB 2.0.13 (a web forum) with ldap Auth mod 1.1.8
Typo3 (a content management system) with LDAP plugins

I'd like to authenticate users for both phpBB and Typo3 from a central
OpenLDAP based database.  The LDAP add-ons for phpBB and Typo3 were
primarily written by users with Active Directory knowledge.

Active Directory seems to handle users in groups like this: a record of
a person contains an objectclass (memberof) that can hold several group
records.

In contrast with this, my OpenLDAP database only allows a separate group
record (with the objectclass "groupOfNames") in the database that holds
a list of persons that belong to the group.

This is the order way around and each method will have it's own
advantages and disadvantages. Problem is that both phpBB and Typo3 are
written for the Active Directory way of doing things.
Is it possible to get OpenLDAP to work that way?



memberOf is AD-specific; it's an operational attribute that is internally maintained by creating a back-reference any time a member is added to a groupOfNames-style group. You can implement something like that by extending the schema of your data and adding a memberOf-like attribute that implements that functionality. You could even automate this by writing an overlay that intercepts member-handling within groupOfNames objects. You may want to have a look to the "refint" overlay, which takes care of referential integrity and shows some analogies with what you need.


p.


SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497