Re: Check for existence of a group

[Michael Ströder <michael@stroeder.com>]

Alex Chen wrote:
> I want to make sure if a group already exist in the directory before a
> member is allowed to be added.

What does "already exist" exactly means in your application's context?
If a certain entry does exist referenced by a DN? If a certain group
name exists (whatever the group name attribute is in your context)?

> I guess the API to use would be ldap_search_s (I want to sue synchronous
> search).

Yes.

> What kind of filter syntax should I use?

The filter depends on the object class for the group which also depends
on the group usage.

With OpenLDAP's slapd the most commonly used object class is
'groupOfNames'. Some use 'organizationalRole'. Other LDAP servers use
different group schema.

To make it clear how many different group object classes are used in the
wild here's the excerpt of my web2ldap's group admin mappings which maps
the object class' name to the member attribute and the accompanying
attribute in the member entry:

    # The definitions for group entry administration
    groupadm_defs={
      'groupOfNames':       ('member',None),
      'groupOfUniqueNames': ('uniqueMember',None),
      'organizationalRole': ('roleOccupant',None),
      'rfc822MailGroup':    ('mail','mail'),
      'nisMailAlias':       ('rfc822MailMember','mail'),
      'mailGroup':          ('mgrprfc822mailmember','mail'),
      # Found on IBM SecureWay Directory
      'accessGroup':        ('member',None),
      # RFC2370
      'posixGroup':         ('memberUid','uid'),
      'nisNetgroup':        ('memberNisNetgroup','uid'),
      # Samba 3.0
      'sambaGroupMapping':  ('sambaSIDList','sambaSID'),
      # Active Directory
      'group':              ('member',None),
      # draft-findlay-ldap-groupofentries
      'groupOfEntries':     ('member',None),
    },

Ciao, Michael.