Menu
▾
▴
perl-ldap-dev
|
From: Lambright, L. (N-Averstar) <lin...@lm...> - 2000-12-14 03:20:28
|
Do you know where I can get a really good explaination of organizational units and how they work. I'm trying to write a set of scripts that will allow certain users administrator rights over their own groups but not over anyone else's groups. In order to do this I have created a set of organizational units each with groups and subgroups inside of them. All users are then created in the People organizational unit and added as members to one or more groups inside other organizational units. I need to be able to list the users in each organizational unit and whether they are in an admin group in that unit. Then we give those admins rights to move users from group to group or to remove the user from their group or from their organizational unit without actually removing the person from the directory server or from other groups or other organizational units. These administrators also need to be able to make and remove groups in their organizational unit and add users to the directory server if the user does not already exist. The problems that we have run into are all with perl-ldap giving us information on organizational units and groups. Probably because we don't know how to ask correctly. Thank you for your help Linda > ---------- > From: Mark Wilcox[SMTP:mew...@un...] > Sent: Wednesday, December 13, 2000 6:15 PM > To: Lambright, Linda (N-Averstar) > Cc: per...@li... > Subject: Re: uid's associated with a particular orgranizational unit > > sounds like you've set your scope incorrectly. > $mesg = > $ldap->search( > base=> "ou=people,dc=acme,dc=com", > scope => "sub", > filter => "objectclass=person" > ); > should do it. > > Note that unless you've got a very small number of people, you'll need to > either > be binded as the directory super-user account or use a virtual list view > to see > all of them. > > Mark > > "Lambright, Linda (N-Averstar)" wrote: > > > I have created several users in the People organizational unit. I am > trying > > to find out how to get a list of all of those uid's. However if I ask > for > > ou=People all I get is the entry for the ou People. Can anyone help me > with > > this? Even when I use the server console to do the search it comes up > with > > no entries. However the ldif file clearly shows all of the users with > > ou=People. I guess I don't clealy understand the concept of the > > organizational unit object. > > > > Linda Lambright > |
|
From: Chris R. <chr...@me...> - 2000-12-14 13:37:08
|
"Lambright, Linda (N-Averstar)" <lin...@lm...> wrote:
> Do you know where I can get a really good explaination of organizational
> units and how they work.
Organizational units are simply entries in the directory with an object
class of "organizationalUnit" and usually named with the "ou" attribute
(aka "organizationalUnitName".)
These entries are normally used to represent departments in an
organization, and the reason they don't have an object class of
"department" is because the standards authors had to consider that
"department" has different connotations in some countries (like France),
and so opted for the somewhat hideous term "organizationalUnit". Sorry,
getting sidetracked there!
There are no real special kinds of entry in the directory. So
organizationalUnits work exactly the same way that, say domain entries
work, or locality entries work.
Some vendors cause problems (IMO) by calling organizationalUnits
"containers". This is misleading because the "has a" (ie "contains")
relationship in LDAP can mean either using an attribute of an entry (an
employee "has a" surname and telephone number and a manager), or that the
relationship is hierarchical, ie part of the structure of the directory
tree (a department has employees)
> I'm trying to write a set of scripts that will allow certain users
> administrator rights over their own groups
> but not over anyone else's groups. In order to do this I have created a
> set of organizational units each with groups and
> subgroups inside of them. All users are then created in the People
> organizational unit and added as members to one or more groups inside
> other organizational units. I need to be able to list the users in each
> organizational unit and whether they are in
> an admin group in that unit. Then we give those admins rights to move
> users from group to group or to remove the user
> from their group or from their organizational unit without actually
> removing the person from the directory server
> or from other groups or other organizational units. These administrators
> also need to be able to make and remove groups in
> their organizational unit and add users to the directory server if the
> user does not already exist. The problems that we
> have run into are all with perl-ldap giving us information on
> organizational units and groups. Probably because we don't
> know how to ask correctly.
In your case, your organizationalUnits "have" people in the hierarchical
sense, eg:
o=My Company
|
+----------+
| |
ou=People ...
|
+----+----+
| | |
cn=Jim ... cn=Ann
However group entries (groupOfNames objectclass) represent the "has a"
relationship using the member attribute.
Once you understand those two relationships, your script should be easier
to work out.
To find the people in the ou, search the ou subtree for the person entries,
like Mark suggested. You want to retrieve the "uid" attribute from each of
those entries.
To find the people in the group, read the member attribute from the group
entry. The attribute values will be distinguished names (DNs) of other
entries in the directory. Possibly the entries you read above!
> Thank you for your help
>
> Linda
>
>> ----------
>> From: Mark Wilcox[SMTP:mew...@un...]
>> Sent: Wednesday, December 13, 2000 6:15 PM
>> To: Lambright, Linda (N-Averstar)
>> Cc: per...@li...
>> Subject: Re: uid's associated with a particular orgranizational unit
>>
>> sounds like you've set your scope incorrectly.
>> $mesg =
>> $ldap->search(
>> base=> "ou=people,dc=acme,dc=com",
>> scope => "sub",
>> filter => "objectclass=person"
>> );
>> should do it.
>>
>> Note that unless you've got a very small number of people, you'll need to
>> either
>> be binded as the directory super-user account or use a virtual list view
>> to see
>> all of them.
>>
>> Mark
>>
>> "Lambright, Linda (N-Averstar)" wrote:
>>
>> > I have created several users in the People organizational unit. I am
>> trying
>> > to find out how to get a list of all of those uid's. However if I ask
>> for
>> > ou=People all I get is the entry for the ou People. Can anyone help me
>> with
>> > this? Even when I use the server console to do the search it comes up
>> with
>> > no entries. However the ldif file clearly shows all of the users with
>> > ou=People. I guess I don't clealy understand the concept of the
>> > organizational unit object.
>> >
>> > Linda Lambright
>>
Cheers,
Chris
|
|
From: Mark W. <mew...@un...> - 2000-12-14 20:06:55
|
I think the problem is that you're trying to treat LDAP as an RDBMS.
An OrganizationalUnit can be an entry (ie an entry of objectclass type
OrganizationalUnit) and an attribute (the ou attribute, available in the person
objectclass).
The organizationUnit objectclass is generally used to provide branches in your
tree. You should attempt to keep this as flat as possible to make it easier to
manage:
ie
dc=unt,dc=edu
ou=people ou=groups
Then if you want to use the organizationalUnit attribute to represent
departments people belong to, you simply put the correct values in each person's
ou attribute.
Now, the only other hierarchy you might do that uses OrganizationalUnit, the
objectclass, is to build an organizational white pages directory.
For example if you want to keep the name of each unit, their manager,
administrative assistant and contact information, you might decide to create a
new branch (ou=departments) that contains this information (though you'll need
to extend the schema so that you can add the necessary attributes to store this
information).
Groups.
If you are trying to use people's departments (ie the value of the ou attribute)
for access control you have 3 options.
1) you can simply define an application level policy that says to check the
user's ou attribute to determine their role
2) you can create a group for each department or committee or team or whatever
and populate it. Then see if a user's DN is found in the membership attribute of
the group
3)If you're using Netscape's directory server you can create a dynamic group(s),
who's membership is determined by the value of a particular attribute. Then see
if the user's would satisfy the search query.
I use all 3.
1 -- for mass groupings (ie , only students can see this site, or only faculty).
2 -- only Vice Presidents can send out a bulk-email message to all students
3 -- I use dynamic groups to maintain course rosters (because they change a lot
and some of them are quite large -- several hundred, it makes maintainence
easier because the membership changes when we update the student's entry)
BTW I have an article on groups and Net::LDAP at www.webtechniques.com. Search
for wilcox or LDAP and it will turn up.
Mark
"Lambright, Linda (N-Averstar)" wrote:
> Do you know where I can get a really good explaination of organizational
> units and how they work.
> I'm trying to write a set of scripts that will allow certain users
> administrator rights over their own groups
> but not over anyone else's groups. In order to do this I have created a set
> of organizational units each with groups and
> subgroups inside of them. All users are then created in the People
> organizational unit and added as members to one or more groups inside other
> organizational units. I need to be able to list the users in each
> organizational unit and whether they are in
> an admin group in that unit. Then we give those admins rights to move users
> from group to group or to remove the user
> from their group or from their organizational unit without actually removing
> the person from the directory server
> or from other groups or other organizational units. These administrators
> also need to be able to make and remove groups in
> their organizational unit and add users to the directory server if the user
> does not already exist. The problems that we
> have run into are all with perl-ldap giving us information on organizational
> units and groups. Probably because we don't
> know how to ask correctly.
>
> Thank you for your help
>
> Linda
>
> > ----------
> > From: Mark Wilcox[SMTP:mew...@un...]
> > Sent: Wednesday, December 13, 2000 6:15 PM
> > To: Lambright, Linda (N-Averstar)
> > Cc: per...@li...
> > Subject: Re: uid's associated with a particular orgranizational unit
> >
> > sounds like you've set your scope incorrectly.
> > $mesg =
> > $ldap->search(
> > base=> "ou=people,dc=acme,dc=com",
> > scope => "sub",
> > filter => "objectclass=person"
> > );
> > should do it.
> >
> > Note that unless you've got a very small number of people, you'll need to
> > either
> > be binded as the directory super-user account or use a virtual list view
> > to see
> > all of them.
> >
> > Mark
> >
> > "Lambright, Linda (N-Averstar)" wrote:
> >
> > > I have created several users in the People organizational unit. I am
> > trying
> > > to find out how to get a list of all of those uid's. However if I ask
> > for
> > > ou=People all I get is the entry for the ou People. Can anyone help me
> > with
> > > this? Even when I use the server console to do the search it comes up
> > with
> > > no entries. However the ldif file clearly shows all of the users with
> > > ou=People. I guess I don't clealy understand the concept of the
> > > organizational unit object.
> > >
> > > Linda Lambright
> >
|
|
From: Chris R. <chr...@me...> - 2000-12-15 09:49:28
|
Mark Wilcox <mew...@un...> wrote: > I think the problem is that you're trying to treat LDAP as an RDBMS. > > An OrganizationalUnit can be an entry (ie an entry of objectclass type > OrganizationalUnit) and an attribute (the ou attribute, available in the > person objectclass). Actually ou is not an attribute of the person object class, it is an attribute of the organizationalPerson object class. Cheers, Chris |
|
From: Jim H. <ha...@us...> - 2000-12-15 14:49:05
|
Is there a standard attribute for course enrollment. I want to start populating that in our directory soon. --Jim Harle On Thu, 14 Dec 2000, Mark Wilcox wrote: ... > 3 -- I use dynamic groups to maintain course rosters (because they change a lot > and some of them are quite large -- several hundred, it makes maintainence > easier because the membership changes when we update the student's entry) |
|
From: Mark W. <mew...@un...> - 2000-12-15 16:26:30
|
Yes and no. Educause (it's a consortium of educational IT professionals) have developed a Eduperson schema at http://www.educause.edu/eduperson/ It's now in draft 1.0 stage (don't know much beyond that since I'm not a member). At UNT I'm using Netscape dynamic groups for class rosters (owners are instructors), plus I keep the DN to these groups in the student's entries so that I can easily see what classes they're enrolled in when I retrieve their entry (I put the registrar's course ID as the RDN for the course). Mark Jim Harle wrote: > Is there a standard attribute for course enrollment. I want to start > populating that in our directory soon. > --Jim Harle > > On Thu, 14 Dec 2000, Mark Wilcox wrote: > ... > > 3 -- I use dynamic groups to maintain course rosters (because they change a lot > > and some of them are quite large -- several hundred, it makes maintainence > > easier because the membership changes when we update the student's entry) |
|
From: Daryl C. <da...@at...> - 2000-12-14 23:17:15
|
Mark, >I use all 3. >1 -- for mass groupings (ie , only students can see this site, or only faculty). So your students are entries of ou=People and have attribute ou=student. What are you trading off in comparison to a student dn of dn: uid=joestudent,ou=Student,ou=People,dc=unt,dc=edu ? -- Daryl Campbell The magician tried to blame it on the rabbit, Athabasca University pulled her out of the hat couldn't make her disappear (780) 675 6379 ...never more blind than when looking at ourselves daryl@N.O.spam.athabascau.ca Bob Kemmis, Kemmisutra |
|
From: Tom J. <tj...@do...> - 2000-12-15 01:36:08
|
You're trading off flexibility for one, ability to respond to change for another... Suppose said student is also an employee. Do you create a duplicate entry under ou=staff? Do you trust your vendor's implementation of aliases (or your clients' ability to interpret aliases)? What if you issued the user a certificate with a subject under the ou=students OU? If the person changes roles, do you need to invalidate the cert and issue a new one just because they changed roles? Basing a tree structure on roles seems like a mistake to me, as it seems that people will always occupy multiple roles and LDAP/X.500 have always been bad at dealing with multiple inheritances. --Tom On Thu, 14 Dec 2000, Daryl Campbell wrote: > > Mark, > > >I use all 3. > >1 -- for mass groupings (ie , only students can see this site, or only faculty). > > So your students are entries of ou=People and have attribute ou=student. > > What are you trading off in comparison to a student dn of > > dn: uid=joestudent,ou=Student,ou=People,dc=unt,dc=edu > > ? > > -- > Daryl Campbell The magician tried to blame it on the rabbit, > Athabasca University pulled her out of the hat couldn't make her disappear > (780) 675 6379 ...never more blind than when looking at ourselves > daryl@N.O.spam.athabascau.ca Bob Kemmis, Kemmisutra > |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X