Is there a standard way to integrate a web application with LDAP groups? Let’s see what others are doing:
- Confluence supports both „static groups“ (the group’s LDAP entry lists user DNs or IDs in an attribute like „member“ or „memberUid“ – typical objectClasses are „posixGroup“ and „groupOfNames“) and „dynamic groups“ (the user entry lists group DNs in an attribute like „member“ or „memberOf“; Active Directory does the latter). Which (static) groups are being read can be defined with a custom LDAP query filter („baseGroupNamespace“ and „groupSearchAllDepths“ configuration settings).
- Trac seems to use just „static groups“. What’s interesting is that they can store permissions directly in LDAP, with „objectclass: trac“ and „tracperm“ attributes. They’re distinguishing group and user DNs internally by prefixing groups with an „@“ character. They also filter which groups are being used („group_rdn“ configuration setting).
- Drupal can work with both group types. They mention the problem with hierarchical group membership…
- Typo3 I’m not sure about – the documented configuration settings sound like they only support „dynamic groups“ („use memberOf-Attribute“, „build usergroup“), but at the bottom of the page they say: „Can I assign users to groups?Yes, currently standard implementations of AD, NDS and OpenLDAP are supported.“
Update (2007-11-14):
- Liferay has a detailed explanation of their LDAP integration. They’ve got a configuration setting „ldap.import.method“ which is set to „user“ or „group“, depending on from which side group membership is to be read.