Tim’s Weblog Tim's Weblog
Tim Strehle’s links and thoughts on Web apps, managing software development and Digital Asset Management, since 2002.

Using LDAP groups in a web application

Is there a standard way to integrate a web application with LDAP groups? Let's see what others are doing: 

  • Confluence supports both "static groups" (the group's LDAP entry lists user DNs or IDs in an attribute like "member" or "memberUid" - typical objectClasses are "posixGroup" and "groupOfNames") and "dynamic groups" (the user entry lists group DNs in an attribute like "member" or "memberOf"; Active Directory does the latter). Which (static) groups are being read can be defined with a custom LDAP query filter ("baseGroupNamespace" and "groupSearchAllDepths" configuration settings).
  • Trac seems to use just "static groups". What's interesting is that they can store permissions directly in LDAP, with "objectclass: trac" and "tracperm" attributes. They're distinguishing group and user DNs internally by prefixing groups with an "@" character. They also filter which groups are being used ("group_rdn" configuration setting).
  • Drupal can work with both group types. They mention the problem with hierarchical group membership...
  • Typo3 I'm not sure about - the documented configuration settings sound like they only support "dynamic groups" ("use memberOf-Attribute", "build usergroup"), but at the bottom of the page they say: "Can I assign users to groups?Yes, currently standard implementations of AD, NDS and OpenLDAP are supported."

Update (2007-11-14):

  • Liferay has a detailed explanation of their LDAP integration. They've got a configuration setting "ldap.import.method" which is set to "user" or "group", depending on from which side group membership is to be read.
Thu, 25 Oct 2007 09:16:49 +0000