grouper training developers and architects ldap
Download
Skip this Video
Download Presentation
Grouper Training Developers and Architects LDAP

Loading in 2 Seconds...

play fullscreen
1 / 16

Grouper Training Developers and Architects LDAP - PowerPoint PPT Presentation


  • 120 Views
  • Uploaded on

Grouper Training Developers and Architects LDAP. Shilen Patel Duke University. This work licensed under a Creative Commons Attribution-NonCommercial 3.0 Unported License. Contents. Introduction Advantages and disadvantages Flat vs bushy structure

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Grouper Training Developers and Architects LDAP' - edythe


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
grouper training developers and architects ldap

Grouper TrainingDevelopers and ArchitectsLDAP

Shilen Patel

Duke University

This work licensed under a Creative Commons Attribution-NonCommercial 3.0 Unported License.

contents
Contents

Introduction

Advantages and disadvantages

Flat vs bushy structure

Group and Member objects – Active Directory

Group and Member objects – OpenLDAP

Other group attributes

Flattened memberships vs direct memberships only

Tips on performing queries

introduction continued
Introduction (continued)
  • Example LDAP structure.
    • dc=example,dc=edu
      • ou=people
        • uid=bob
          • uid: bob
          • givenName: Bob
          • sn: Smith
          • displayName: Bob Smith
          • memberOf: cn=staff,ou=employees,ou=groups,dc=example,dc=edu
        • uid=john
      • ou=groups
        • ou=employees
          • cn=staff
            • cn: staff
            • description: All staff at the institution
            • member: uid=bob,ou=people,dc=example,dc=edu
            • member: uid=john,ou=people,dc=example,dc=edu
          • cn=faculty
advantages and disadvantages
Advantages and disadvantages
  • Advantages
    • Integration with third party applications.
    • Performance
    • High availability
  • Disadvantages
    • Read only
    • Handling privileges
flat vs bushy structure
Flat vs bushy structure
  • cn is typically the full group name (ID Path)
  • Each ou represents a Grouper folder. The value is the stem extension (Folder ID)
  • cn is typically the group extension (ID)

Flat

Bushy

group and member objects active directory
Group and Member objects – Active Directory
  • Group objects
    • Group object class is “group”.
    • sAMAccountName attribute – May be generated directly by AD or as part of the group provisioning.
    • member attribute – LDAP entry DNs of subjects that are members of the group.
group and member objects active directory continued
Group and Member objects – Active Directory (continued)
  • Member objects
    • memberOf attribute – LDAP entry DNs of groups that this subject is a member of. This is a computed attribute.
group and member objects openldap
Group and Member objects – OpenLDAP
  • Group objects
    • Group object class is “groupOfNames” by default. May also use eduMember.
    • hasMemberattribute – names of subjects that are members of the group.
    • isMemberOfattribute – names of groups that this group is a member of.
    • member attribute – LDAP entry DNs of subjects that are members of the group.
    • memberOfattribute – LDAP entry DNs of groups that this group is a member of.
group and member objects openldap continued
Group and Member objects – OpenLDAP (continued)
  • Member objects
    • isMemberOf – names of groups that this subject is a member of.
    • memberOf – LDAP entry DNs of groups that this subject is a member of.
other group attributes
Other Group Attributes

Any group attribute in Grouper can be provisioned to an attribute in LDAP.

For instance, a group’s description may be kept in the description attribute in LDAP.

flattened memberships vs direct memberships only
Flattened memberships vsdirect memberships only
  • Depending on how LDAP is provisioned, a group’s member attribute may be based on a flattened list (direct and indirect) or only contain direct members.
  • If only direct memberships are provisioned and a group has another group as a member, then the first group will still have the second group’s DN in its member list. But applications have to take that into account when performing queries.
    • Note that if you need to get all (direct and indirect) groups for a person, some directories (such as AD and Oracle DSEE) can automatically get indirect memberships to avoid multiple calls to the LDAP server.
tips on performing queries
Tips on Performing Queries
  • Set the search base correctly.
  • Set the scope correctly.
    • Base
    • One
    • Subtree
  • Be aware of client and server limits (e.g. size limit and time limit).
tips on performing queries continued
Tips on Performing Queries (continued)
  • If you want to see if a person is in a group (and flattened memberships are provisioned), you can:
    • Get all of the group’s members by retrieving the member attribute of the group object. (Likely bad for performance.)
    • Get all of the person’s groups by retrieving the memberOf attribute of the member object. (Could be bad for performance.)
    • Perform a (member=DN) query with a search base of the group’s DN without retrieving the member attribute.
    • Use the LDAP compare operation to see if the group object contains an attribute/value pair. The attribute would be “member” and the value would be the DN of the member object.
slide15
Quiz

Click on the quiz link in the video description to reinforce your knowledge of this topic.

slide16
Thanks!
  • Further information:
  • Infosheets, mailing lists, wiki, downloads, etc.:www.internet2.edu/grouper
  • Grouper demo server:grouperdemo.internet2.edu/
  • Grouper Online Training Home:spaces.internet2.edu/x/IIGfAQ

This work licensed under a Creative Commons Attribution-NonCommercial 3.0 Unported License.

ad