Sunday, July 1, 2007

Static Vs Dynamic LDAP Groups


LDAP directory servers contain information about people: users, employees, customers, partners, and others. Many times, it makes sense to associate entries together in groups. A group is basically a collection of entries. These entries can be statically assigned to a group or can have a set of common attributes on which they can form a dynamic groups.


1) Static Group


A static group defines each member individually using the structural objectclass groupOfNames, groupOfUniqueNames, etc depending on Directory Server implementation. These objectclasses require the attribute member (or uniqueMember in the case of groupOfUniqueNames). These groups are good if the number of users in a group is not large because group contains an entry for each user who belong to this group. The more number of people assigned to the group more complicated the task to manage that group.


2) Dynamic Group


Dynamic groups allow you to use a LDAP URL to define a set of rules that match only for group members. For Dynamic Groups, the members do share a common attribute or set of attributes that are defined in the memberURL filter. These are good if the number of users in the group are very large. It's a much better choice for a dynamic group than a static group because the set of members will be automatically adjusted as new users are added, existing users are removed


Example :


dn: cn=Austin Users,ou=Groups,dc=example,dc=com
objectClass: top
objectClass: groupOfURLs
cn: Austin Users
memberURL:
ldap:///ou=People,dc=example,dc=com??sub?(&(l=Austin)(st=Texas))


In the above example all the users who belong to Location as Austin or State as Texas belongs to Austin Users.


Roles


Roles are a similar to groups, but work differently. Groups are effectively listings of members. In order to find out, for example, which groups "David" belongs to, you would need to look at every group and see if it contains "David". Roles, on the other hand, are associations that are stored in users' entries themselves.


As a member of a role, you have the authority to do what is needed for the role in order to accomplish a job. Unlike a group, a role comes with an implicit set of permissions. There is not a built-in assumption about what permissions are gained (or lost) by being a member of a group.








Technorati :

No comments: