Organising Groups while using LDAP

Tom_Chadwin · August 1, 2006, 8:24am

Hello all

I have an issue with LDAP integration. It seems to me that if I try to use our top-level AD group to display automatically in everyone’'s rosters, the rosters simply list the groups within that group as though they were Jabber contacts, rather than expanding the subgroups, and giving the members. Am I misunderstanding something about the way in which this should work?

Thanks

Tom

matt · August 1, 2006, 2:57pm

Tom,

BTW, I branched your message into a new thread since it’'s unrelated to the thread you posted in.

I’‘m not sure I understand exactly how this works. Do you have groups within groups? I’'d like to replicate this in my AD testing server. Also, are groups within groups common on other LDAP servers?

Regards,

Matt

Jason_Martin · August 2, 2006, 4:41pm

Matt,

I can’‘t speak for Tom, but thats exactly how I understood him. He has nested groups in his LDAP configuration. As for the roster problem, I have seen this when I have tested LDAP groups around version 2.4. I originally had an IMGroup which then had various groups as members. No one showed up in shared rosters. I had to add every user individually to IMGroup, but I haven’'t tested this recently.

Anyway, I beleive nested groups are a pretty common configuration as it would simplify changes. If someone changes departments, you would then have to change the department and groups and permissions change accordingly. Though it might be best to make it a choice to use subtree or flat configurations similar to the searchFilters feature added in 3.0.0.

Jay

Jay · August 2, 2006, 6:56pm

The Unix standard dosnt allow groups within groups. So anyone using LDAP for plain-unix (Linux, etc) wont have that. Nor will OS X.

petermurray · August 7, 2006, 9:22pm

You can have nested groups in OS X 10.4 server…

…am currently trying to get our test setup here to check against users within bunch of nested groups, without much luck I hasten to add.

matt · August 7, 2006, 10:21pm

If you mark any of the nested groups as “shared”, that works correctly, right? I think the main issue is when you have a setup such as:

Jive Software
   |- Sales
   |- Dev
   |- Support
   |- Marketing

And you want to mark the “Jive Software” group as shared and see all members.

-Matt

Tom_Chadwin · August 16, 2006, 3:41pm

Apologies. I forgot about this query. Yes, this is exactly what I am talking about. Our Active Directory structure has three directorate groups, in which are various team groups, in which are individual people. I was hoping just to be able to add the top-level groups, and see the nested groups added. But then, does Wildfire have the concept of nested contact groups?

I’‘m very surprised to hear that LDAP doesn’'t support groups within groups. How can one ever describe a complex corporate structure without this?

Thanks

Tom

matt · August 16, 2006, 7:45pm

Tom,

The current workaround would be to mark each of the sub-groups as shared groups. However, I think this is a good feature request, so I’'ve filed it as JM-806.

Regards,

Matt

Caleb_Anthony · August 17, 2006, 3:44am

This feature might fix my problem: http://www.jivesoftware.org/community/message.jspa?messageID=124207#124207

Tom_Chadwin · August 17, 2006, 9:27am

Many thanks, Matt. I’'ve worked around it by simply creating a Wildfire Group and adding that, but that means our organizational structure is not reflected in the roster, so again, thanks.

Tom