Is there a standard way to integrate a web application with LDAP groups? Let's see what others are doing:
- Confluence supports both "static groups" (the group's LDAP entry lists user DNs or IDs in an attribute like "member" or "memberUid" - typical objectClasses are "posixGroup" and "groupOfNames") and "dynamic groups" (the user entry lists group DNs in an attribute like "member" or "memberOf"; Active Directory does the latter). Which (static) groups are being read can be defined with a custom LDAP query filter ("baseGroupNamespace" and "groupSearchAllDepths" configuration settings).
- Trac seems to use just "static groups". What's interesting is that they can store permissions directly in LDAP, with "objectclass: trac" and "tracperm" attributes. They're distinguishing group and user DNs internally by prefixing groups with an "@" character. They also filter which groups are being used ("group_rdn" configuration setting).
- Drupal can work with both group types. They mention the problem with hierarchical group membership...
- Typo3 I'm not sure about - the documented configuration settings sound like they only support "dynamic groups" ("use memberOf-Attribute", "build usergroup"), but at the bottom of the page they say: "Can I assign users to groups?Yes, currently standard implementations of AD, NDS and OpenLDAP are supported."
- Liferay has a detailed explanation of their LDAP integration. They've got a configuration setting "ldap.import.method" which is set to "user" or "group", depending on from which side group membership is to be read.
Thu, 25 Oct 2007 09:16:49 +0000