Practices in Directory Groups http://middleware.internet2.edu/dir/groups/docs/internet2-mace-dir-groups-best-practices-200210.htm

If you use JNDI, another option is to use object and/or state factories to translate between directory entries for groups and Java objects, which represent groups. Learn more about these (widely unknown) JNDI feature here:

http://java.sun.com/products/jndi/tutorial/objects/factory/index.html http://java.sun.com/products/jndi/tutorial/objects/state/index.html

The LDAP Booster Pack for JNDI already provides object and state factories for RFC style groups. They may help (I am not certain, because I do not know your requirements in detail – for instance they do not work with Active Directory, afaik). You can download these classes here:

http://java.sun.com/products/jndi/ 

getAllStaticGroups()
{
 Search: your root naming context
 Scope: subtree
 Filter: (&(objectclass=groupofuniquenames))//for any DS
  (&(objectclass=groupofnames))//for any DS
  (&(objectclass=group))//for active directory
}

getAllDynamicGroups()
{
 Search: your root naming context
 Scope: subtree
 Filter: (&(objectclass=groupOfURLs))
}

isMemberOfStaticGroup(groupname,userdn)
{
 Search: your root naming context
 Scope: subtree
 Filter: (&(objectclass=groupofuniquenames)(cn=groupname)(uniquemember=userdn))//for any DS
  (&(objectclass=groupofnames)(cn=groupname)(member=userdn))//for any DS
  (&(objectclass=group)(cn=groupname)(member=userdn))//for active directory
}

isMemberOfDynamicGroup(groupname,userdn)
{
 Step 1: Search: your root naming context
  Scope: subtree
  Filter: (&(objectclass=groupOfURLs)(cn=groupname))
 Step 2: use 'memberURL' attribute to chk if user is in the group 
}
  • No labels