Docstoc

Introduction to Grouper - Internet2_1_

Document Sample
Introduction to Grouper - Internet2_1_ Powered By Docstoc
					                  Grouper Training
              Developers and Architects
                       LDAP
                                 Shilen Patel
                                Duke University




This work licensed under a Creative Commons Attribution-NonCommercial 3.0 Unported License.
Contents

• Introduction
• Advantages and disadvantages
• Flat vs bushy structure
• Group and Member objects – Active Directory
• Group and Member objects – OpenLDAP
• Other group attributes
• Flattened memberships vs direct
  memberships only
• Tips on performing queries

                                                2
Introduction




               3
Introduction (continued)
•   Example LDAP structure.
     •   dc=example,dc=edu
          • ou=people
             – uid=bob
                » uid: bob
                » givenName: Bob
                » sn: Smith
                » displayName: Bob Smith
                » memberOf: cn=staff,ou=employees,ou=groups,dc=example,dc=edu
             – uid=john
          • ou=groups
             • ou=employees
                - cn=staff
                      » cn: staff
                      » description: All staff at the institution
                      » member: uid=bob,ou=people,dc=example,dc=edu
                      » member: uid=john,ou=people,dc=example,dc=edu
                - cn=faculty


                                                                                4
Advantages and disadvantages

• Advantages
  • Integration with third party applications.
  • Performance
  • High availability
• Disadvantages
  • Read only
  • Handling privileges



                                                 5
Flat vs bushy structure

                           cn is typically the full
• Flat                     group name (ID Path)




• Bushy                   Each ou represents a
                          Grouper folder. The value
                          is the stem extension
                          (Folder ID)

                          cn is typically the group
                          extension (ID)



                                                      6
Group and Member objects – Active
Directory
• Group objects
  • Group object class is “group”.
  • sAMAccountName attribute – May be
    generated directly by AD or as part of the
    group provisioning.
  • member attribute – LDAP entry DNs of
    subjects that are members of the group.




                                                 7
Group and Member objects – Active
Directory (continued)
• Member objects
  • memberOf attribute – LDAP entry DNs of
    groups that this subject is a member of. This
    is a computed attribute.




                                                    8
Group and Member objects –
OpenLDAP
• Group objects
  • Group object class is “groupOfNames” by default.
    May also use eduMember.
  • hasMember attribute – names of subjects that are
    members of the group.
  • isMemberOf attribute – names of groups that this
    group is a member of.
  • member attribute – LDAP entry DNs of subjects that
    are members of the group.
  • memberOf attribute – LDAP entry DNs of groups that
    this group is a member of.

                                                         9
Group and Member objects –
OpenLDAP (continued)
• Member objects
  • isMemberOf – names of groups that this subject
    is a member of.
  • memberOf – LDAP entry DNs of groups that this
    subject is a member of.




                                                 10
Other Group Attributes

• Any group attribute in Grouper can be provisioned
  to an attribute in LDAP.
• For instance, a group’s description may be kept in
  the description attribute in LDAP.




                                                       11
Flattened memberships vs direct
memberships only
• Depending on how LDAP is provisioned, a group’s
  member attribute may be based on a flattened list
  (direct and indirect) or only contain direct members.
• If only direct memberships are provisioned and a group
  has another group as a member, then the first group
  will still have the second group’s DN in its member list.
  But applications have to take that into account when
  performing queries.
   • Note that if you need to get all (direct and indirect) groups
     for a person, some directories (such as AD and Oracle
     DSEE) can automatically get indirect memberships to avoid
     multiple calls to the LDAP server.

                                                                12
Tips on Performing Queries

• Set the search base correctly.
• Set the scope correctly.
   • Base
   • One
   • Subtree
• Be aware of client and server limits (e.g. size limit and time
  limit).




                                                             13
Tips on Performing Queries
(continued)
• If you want to see if a person is in a group (and flattened
  memberships are provisioned), you can:
   • Get all of the group’s members by retrieving the member attribute
     of the group object. (Likely bad for performance.)
   • Get all of the person’s groups by retrieving the memberOf attribute
     of the member object. (Could be bad for performance.)
   • Perform a (member=DN) query with a search base of the group’s
     DN without retrieving the member attribute.
   • Use the LDAP compare operation to see if the group object
     contains an attribute/value pair. The attribute would be “member”
     and the value would be the DN of the member object.




                                                                     14
Quiz

Click on the quiz link in the video
description to reinforce your knowledge of
this topic.




                                             15
                          Thanks!

                   Further information:
•   Infosheets, mailing lists, wiki, downloads, etc.:

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:0
posted:4/13/2014
language:English
pages:16