Have you ever wondered how exactly LDAP groups work? Well, I did last week and here are my findings...
LDAP for Rocket Scientists description of LDAP groups was first one around which I can wrap my mind. However, it has small error so I will reproduce corrected version here:
# LDIF fragment to create group branch under root dn: ou=groups,dc=example,dc=com objectclass:organizationalunit ou: groups description: generic groups branch # create the itpeople entry dn: cn=itpeople,ou=groups,dc=example,dc=com objectclass: groupofnames cn: itpeople description: IT security group # add the group members all of which are # assumed to exist under people member: cn=road runner,ou=people,dc=example,dc=com member: cn=micky mouse,ou=people,dc=example,dc=comOk, so we need to make two objects in LDAP directory to create single group.
But, where did
groupofnames came from?
Warning: rant ahead! I had idea that whole point of very strict schema checking in LDAP is to have single way of defining entities in directory. Did we got there? Let's see data from IBM Technote:
| server | person | group | |||||
|---|---|---|---|---|---|---|---|
| objectclass | name | unique | objectclass | member attribute | name | unique | |
| Lotus Domino LDAP Directory | organizationalPerson | cn | groupOfNames | member | cn | description | |
| Netscape Directory Server | organizationalPerson | cn | groupOfUniqueNames | uniquemember | cn | description | |
| Microsoft Exchange 5.5 | organizationalPerson | cn | groupOfNames | member | cn | description | |
| Microsoft Active Directory | organizationalPerson | userPrincipalName | cn | group | member | cn | description |
Right... I can clearly see why strict LDAP schema was good idea.