memberOf vs. groupMembership in LDAP (Liferay)
What is the difference b/n memberOf attribute and groupMembership attribute when used in LDAP Authentication settings in Liferay?
开发者_StackOverflow社区The users are imported successfully. The groups are also imported successfully.
But the users are not assigned to the groups automatically. And when I changed the group variable from 'groupMembership' to 'memberOf', several users are not able to login to Liferay.
What exactly are memberOf and groupMembership variables?
memberOf
is not a "variable", it is an attribute, or more accurately, it is a virtual attribute, or a dynamic attribute generated on the fly by some directory servers, but not all. Some use memberOf
to use in search filters or in the attribute list of a search request, some use isMemberOf
for the same purpose, some support both or neither, and there are probably other idioms of which I am not aware.
Generally speaking, to determine group membership, issue a search request to the directory server and specify memberOf
or isMemberOf
to be returned in the attribute list. Here is an example using a modern ldapsearch
command line tool:
ldapsearch --port 1389 --baseDn 'ou=people,dc=example,dc=com' \
--sizeLimit 3 --searchScope one --bindDn 'cn=directory manager' \
--bindPasswordFile ~/.pwdFile '(uid=user.0)' isMemberOf
dn: uid=user.0,ou=people,dc=example,dc=com
isMemberOf: cn=Dynamic Home Directories,ou=groups,dc=example,dc=com
isMemberOf: cn=bellevue,ou=groups,dc=example,dc=com
isMemberOf: cn=shadow entries,ou=groups,dc=example,dc=com
isMemberOf: cn=persons,ou=groups,dc=example,dc=com
This search response indicated that user.0
is a member of the listed groups.
To reverse the sense of the query, that is, to determine which entries are the member of a group, use the isMemberOf
or memberOf
with an assertion in the filter used in the search request:
ldapsearch --port 1389 --baseDn 'ou=people,dc=example,dc=com' \
--sizeLimit 3 --searchScope one --bindDn 'cn=directory manager' \
--bindPasswordFile ~/.pwdFile \
'(isMemberOf=cn=persons,ou=groups,dc=example,dc=com)' 1.1
dn: uid=terrygardner,ou=people,dc=example,dc=com
dn: uid=user.0,ou=people,dc=example,dc=com
dn: uid=user.1,ou=People,dc=example,dc=com
dn: uid=user.10,ou=People,dc=example,dc=com
This search response indicates that there are several member of the group whose distinguished name is cn=persons,ou=groups,dc=example,dc=com
.
While not specific to LifeRay, the above is a general explanation of one way to deal with group membership and also of reverse group membership from an LDAP perspective.
精彩评论