I am total LDAP newbie and I am just researching if I can use it for my next project or better stay away from it.
The project will depend heavily on the concept of nested groups and I frequently need to know in which groups a user is (also in which supergroups), which users are in which group and how many people are in a group (including subgroups).
I tried to read about nested groups in ldap but it is hard to find good literature on that topic. So far the best I found is: http://middleware.internet2.edu/dir/groups/docs/internet2-mace-dir-groups-best-practices-200210.htm which kind of recommends forward references.
Is there any other documentation describing nested group? By now I am not limited by an implementation so it can be e.g. openLDAP specific.
I am also open for all recommendations regarding nested groups.
Thanks,
Markus
Best Answer
Sounds like you could go with
groupOfNames- that object contains a collection of LDAP Distinguished Names, so it can hold users and other groups without a problem. The caveat is unwinding the membership tree (and ensuring there are no cycles in it, or handling cycles gracefully) is the responsibility of your software.I've never done the forward references thing myself (I prefer the "Group has these Members" approach above rather than "Member is in these Groups" - my brain has an easier time with it), but my group structures are typically discrete, non-nested memberships so there may be advantages I'm overlooking.