Re: [squid-users] squid_ldap_group

From: Henrik Nordstrom <henrik@dont-contact.us>
Date: Wed, 08 Mar 2006 00:00:51 +0100

tis 2006-03-07 klockan 13:56 +0100 skrev Werner.Rost@zf.com:

> Now I have to check, whether a user is member of the group
> internetaccess. The script above does not recognize, that jim is
> member of the group internetaccess (because he is member of a
> subgroup).
>
> How can I do this?

Good question. LDAP isn't really designed for this even if technically
allowed. But I guess one could write a program walking the hierarchy of
groups looking for the user, or alternatively querying for all groups
the user is member for and then query recursively for the parent groups
of these until you find the group(s) you are looking for, while at the
same time watching out for recursive referencess (group a member of b
and group b member of a). Most likely the second approach is more
efficient.

Or you could rely on extensions specific to the type of LDAP server you
use, as most LDAP servers have private support for nested groups (but
each doing it differently). OpenLDAP however does not have any native
support for nested groups.

Regards
Henrik

Received on Tue Mar 07 2006 - 16:01:10 MST

This archive was generated by hypermail pre-2.1.9 : Sat Apr 01 2006 - 12:00:03 MST