{"id":1004,"date":"2007-10-25T00:00:00","date_gmt":"2007-10-24T22:00:00","guid":{"rendered":"https:\/\/wwwneu.strehle.de\/tim\/weblog\/archives\/2007\/10\/25\/942\/"},"modified":"2007-10-25T00:00:00","modified_gmt":"2007-10-24T22:00:00","slug":"942","status":"publish","type":"post","link":"https:\/\/www.strehle.de\/tim\/weblog\/archives\/2007\/10\/25\/942\/","title":{"rendered":"Using LDAP groups in a web application"},"content":{"rendered":"<p>Is there a standard way to integrate a web application with LDAP groups? Let&#8217;s see what others are doing:<\/p>\n<ul>\n<li>\n<a href=\"http:\/\/confluence.atlassian.com\/display\/DEV\/How+to+map+LDAP+Users+and+Groups+to+Confluence+via+Atlassian+User\" title=\"How to map LDAP Users and Groups to Confluence via Atlassian User - Atlassian Development - Confluence\">Confluence<\/a> supports both &#8222;static groups&#8220; (the group&#8217;s LDAP entry lists user DNs or IDs in an attribute like &#8222;member&#8220; or &#8222;memberUid&#8220; &#8211; typical objectClasses are &#8222;posixGroup&#8220; and &#8222;groupOfNames&#8220;) and &#8222;dynamic groups&#8220; (the user entry lists group DNs in an attribute like &#8222;member&#8220; or &#8222;memberOf&#8220;; Active Directory does the latter). Which (static) groups are being read can be defined with a custom LDAP query filter (&#8222;baseGroupNamespace&#8220; and &#8222;groupSearchAllDepths&#8220; configuration settings).<\/li>\n<li>\n<a href=\"http:\/\/trac-hacks.org\/wiki\/LdapPlugin\">Trac<\/a> seems to use just &#8222;static groups&#8220;. What&#8217;s interesting is that they can store permissions directly in LDAP, with &#8222;objectclass: trac&#8220; and &#8222;tracperm&#8220; attributes. They&#8217;re distinguishing group and user DNs internally by prefixing groups with an &#8222;@&#8220; character. They also filter which groups are being used (&#8222;group_rdn&#8220; configuration setting).<\/li>\n<li>\n<a href=\"http:\/\/drupal.org\/node\/34367\">Drupal<\/a> can work with both group types. They mention the problem with hierarchical group membership&#8230;<\/li>\n<li>\n<a href=\"http:\/\/typo3.org\/documentation\/document-library\/extension-manuals\/eu_ldap\/2.7.9\/view\/1\/2\/\" title=\"typo3.org: Documentation: LDAP (EXT: LDAP Integration)\">Typo3<\/a> I&#8217;m not sure about &#8211; the documented configuration settings sound like they only support &#8222;dynamic groups&#8220; (&#8222;use memberOf-Attribute&#8220;, &#8222;build usergroup&#8220;), but at the bottom of the page they say: &#8222;Can I assign users to groups?Yes, currently standard implementations of AD, NDS and OpenLDAP are supported.&#8220;<\/li>\n<\/ul>\n<p><em>Update (2007-11-14):<\/em><\/p>\n<ul>\n<li>\n<a href=\"http:\/\/wiki.liferay.com\/index.php\/LDAP\" title=\"LDAP - LiferayPedia\">Liferay<\/a> has a detailed explanation of their LDAP integration. They&#8217;ve got a configuration setting &#8222;ldap.import.method&#8220; which is set to &#8222;user&#8220; or &#8222;group&#8220;, depending on from which side group membership is to be read.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Is there a standard way to integrate a web application with LDAP groups? Let&#8217;s see what others are doing: Confluence supports both &#8222;static groups&#8220; (the group&#8217;s LDAP entry lists user DNs or IDs in an attribute like &#8222;member&#8220; or &#8222;memberUid&#8220; &#8211; typical objectClasses are &#8222;posixGroup&#8220; and &#8222;groupOfNames&#8220;) and &#8222;dynamic groups&#8220; (the user entry lists group [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","_share_on_mastodon":"0"},"categories":[1],"tags":[],"class_list":["post-1004","post","type-post","status-publish","format-standard","hentry","category-weblog"],"share_on_mastodon":{"url":"","error":""},"_links":{"self":[{"href":"https:\/\/www.strehle.de\/tim\/wp-json\/wp\/v2\/posts\/1004","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.strehle.de\/tim\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.strehle.de\/tim\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.strehle.de\/tim\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.strehle.de\/tim\/wp-json\/wp\/v2\/comments?post=1004"}],"version-history":[{"count":0,"href":"https:\/\/www.strehle.de\/tim\/wp-json\/wp\/v2\/posts\/1004\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.strehle.de\/tim\/wp-json\/wp\/v2\/media?parent=1004"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.strehle.de\/tim\/wp-json\/wp\/v2\/categories?post=1004"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.strehle.de\/tim\/wp-json\/wp\/v2\/tags?post=1004"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}