开发者

memberOf vs. groupMembership in LDAP (Liferay)

What is the difference b/n memberOf attribute and groupMembership attribute when used in LDAP Authentication settings in Liferay?

开发者_StackOverflow社区

The users are imported successfully. The groups are also imported successfully.

But the users are not assigned to the groups automatically. And when I changed the group variable from 'groupMembership' to 'memberOf', several users are not able to login to Liferay.

What exactly are memberOf and groupMembership variables?

memberOf vs. groupMembership in LDAP (Liferay)


memberOf is not a "variable", it is an attribute, or more accurately, it is a virtual attribute, or a dynamic attribute generated on the fly by some directory servers, but not all. Some use memberOf to use in search filters or in the attribute list of a search request, some use isMemberOf for the same purpose, some support both or neither, and there are probably other idioms of which I am not aware.

Generally speaking, to determine group membership, issue a search request to the directory server and specify memberOf or isMemberOf to be returned in the attribute list. Here is an example using a modern ldapsearch command line tool:

ldapsearch --port 1389 --baseDn 'ou=people,dc=example,dc=com' \
     --sizeLimit 3 --searchScope one --bindDn 'cn=directory manager' \
     --bindPasswordFile ~/.pwdFile '(uid=user.0)' isMemberOf
dn: uid=user.0,ou=people,dc=example,dc=com
isMemberOf: cn=Dynamic Home Directories,ou=groups,dc=example,dc=com
isMemberOf: cn=bellevue,ou=groups,dc=example,dc=com
isMemberOf: cn=shadow entries,ou=groups,dc=example,dc=com
isMemberOf: cn=persons,ou=groups,dc=example,dc=com

This search response indicated that user.0 is a member of the listed groups.

To reverse the sense of the query, that is, to determine which entries are the member of a group, use the isMemberOf or memberOf with an assertion in the filter used in the search request:

ldapsearch --port 1389 --baseDn 'ou=people,dc=example,dc=com' \
   --sizeLimit 3 --searchScope one --bindDn 'cn=directory manager' \
   --bindPasswordFile ~/.pwdFile \
  '(isMemberOf=cn=persons,ou=groups,dc=example,dc=com)' 1.1
dn: uid=terrygardner,ou=people,dc=example,dc=com

dn: uid=user.0,ou=people,dc=example,dc=com

dn: uid=user.1,ou=People,dc=example,dc=com

dn: uid=user.10,ou=People,dc=example,dc=com

This search response indicates that there are several member of the group whose distinguished name is cn=persons,ou=groups,dc=example,dc=com.

While not specific to LifeRay, the above is a general explanation of one way to deal with group membership and also of reverse group membership from an LDAP perspective.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜