[Serusers] SER and LDAP
Arek Bekiersz
sip at perceval.net
Thu Nov 10 16:47:37 CET 2005
Jan,
As I said to Greger, there are many many changes that will have to be
made to the module. But as they will be going on parallel to my current
work, I hope I can correct them quickly. If I find time to actually DO
my current work.
Imagine group handling - I made a wrong design requirement, I've put
group membership inside every Ldap object. That is: if somebody is
member of some group, he has special attribute (let's say 'memberOf')
set to name of this group.
This is wrong, as proper approach is to have groupOfNames (or
groupOfUniqueNames) object and just put DN's of members into this. That
is for example how LDAP groups are used in Radius, when working with
LDAP backend...
... but according to Greger V.Teigre there is an issue with groupOfNames
(thanks Greger). Some LDAP servers do not have built-in functions for
efficiently checking group membership (i.e. OpenLDAP). We will have to
make sure that the future implementation of group check algorithm will
works across LDAP servers.
What is more, from my experience I know we could have schema violations
in some users when using empty 'groupOfNames' (without any 'member'
attribute value - like if group has no members :-) ). This attribute is
mandatory according to various schemas. However it is perfectly possible
to enter empty value inside 'member' attribute'.
So as you see plenty of work is to be done.
--
Arek
Jan Janak wrote:
> Great, I am looking forward to it and hopefuly we can get it to the main
> tree soon.
>
> Jan.
More information about the sr-users
mailing list