grouper training developers and architects ldap
DESCRIPTION
Grouper Training Developers and Architects LDAP. Shilen Patel Duke University. This work licensed under a Creative Commons Attribution-NonCommercial 3.0 Unported License. Contents. Introduction Advantages and disadvantages Flat vs bushy structure - PowerPoint PPT PresentationTRANSCRIPT
Grouper TrainingDevelopers and Architects
LDAPShilen Patel
Duke University
This work licensed under a Creative Commons Attribution-NonCommercial 3.0 Unported License.
• Introduction• Advantages and disadvantages• Flat vs bushy structure• Group and Member objects – Active Directory• Group and Member objects – OpenLDAP• Other group attributes• Flattened memberships vs direct
memberships only• Tips on performing queries
2
Contents
3
Introduction
• Example LDAP structure.• dc=example,dc=edu
• ou=people– uid=bob
» uid: bob» givenName: Bob» sn: Smith» displayName: Bob Smith» memberOf: cn=staff,ou=employees,ou=groups,dc=example,dc=edu
– uid=john• ou=groups
• ou=employees- cn=staff
» cn: staff» description: All staff at the institution» member: uid=bob,ou=people,dc=example,dc=edu» member: uid=john,ou=people,dc=example,dc=edu
- cn=faculty
4
Introduction (continued)
• Advantages• Integration with third party applications.• Performance•High availability
• Disadvantages•Read only•Handling privileges
5
Advantages and disadvantages
6
Flat vs bushy structure
• Flat
• Bushy
cn is typically the full group name (ID Path)
Each ou represents a Grouper folder. The value is the stem extension (Folder ID)
cn is typically the group extension (ID)
• Group objects•Group object class is “group”.• sAMAccountName attribute – May be
generated directly by AD or as part of the group provisioning.
•member attribute – LDAP entry DNs of subjects that are members of the group.
7
Group and Member objects – Active Directory
• Member objects•memberOf attribute – LDAP entry DNs of
groups that this subject is a member of. This is a computed attribute.
8
Group and Member objects – Active Directory (continued)
• Group objects• Group object class is “groupOfNames” by default.
May also use eduMember.• hasMember attribute – names of subjects that are
members of the group.• isMemberOf attribute – names of groups that this
group is a member of.• member attribute – LDAP entry DNs of subjects that
are members of the group.• memberOf attribute – LDAP entry DNs of groups that
this group is a member of.
9
Group and Member objects – OpenLDAP
• Member objects• isMemberOf – names of groups that this subject
is a member of.• memberOf – LDAP entry DNs of groups that this
subject is a member of.
10
Group and Member objects – OpenLDAP (continued)
• Any group attribute in Grouper can be provisioned to an attribute in LDAP.
• For instance, a group’s description may be kept in the description attribute in LDAP.
11
Other Group Attributes
• Depending on how LDAP is provisioned, a group’s member attribute may be based on a flattened list (direct and indirect) or only contain direct members.
• If only direct memberships are provisioned and a group has another group as a member, then the first group will still have the second group’s DN in its member list. But applications have to take that into account when performing queries.• Note that if you need to get all (direct and indirect) groups
for a person, some directories (such as AD and Oracle DSEE) can automatically get indirect memberships to avoid multiple calls to the LDAP server.
12
Flattened memberships vs direct memberships only
• Set the search base correctly.• Set the scope correctly.
• Base• One • Subtree
• Be aware of client and server limits (e.g. size limit and time limit).
13
Tips on Performing Queries
• If you want to see if a person is in a group (and flattened memberships are provisioned), you can:• Get all of the group’s members by retrieving the member attribute
of the group object. (Likely bad for performance.)• Get all of the person’s groups by retrieving the memberOf attribute
of the member object. (Could be bad for performance.)• Perform a (member=DN) query with a search base of the group’s
DN without retrieving the member attribute.• Use the LDAP compare operation to see if the group object
contains an attribute/value pair. The attribute would be “member” and the value would be the DN of the member object.
14
Tips on Performing Queries (continued)
Click on the quiz link in the video description to reinforce your knowledge of this topic.
15
Quiz
Thanks!
Further information:
• Infosheets, mailing lists, wiki, downloads, etc.:www.internet2.edu/grouper
• Grouper demo server:grouperdemo.internet2.edu/
• Grouper Online Training Home:spaces.internet2.edu/x/IIGfAQ
This work licensed under a Creative Commons Attribution-NonCommercial 3.0 Unported License. 16