Anyways, it looks like the AD implementation will be
less efficient because you have to do multiple
queries (one per user) in order to get that actual
username versus the POSIX way of listing them in the
group object directly. I’'m not an LDAP wizard by any
means but is there a way to pull the sAMAccountName’'s
directly from the group object with a single query
(something like a join in relational DB’'s)? If not,
then we just have to take the performance hit and
hope its not too bad.
AFAIK, you can not do joins or sub-select type queries in LDAP. You would have to do multiple queries. As for the performance hit, I’‘m expecting JM to only update the group membership every X minutes and cache the results, so JM won’'t be pounding the LDAP server.
As far as the primary groups, yes, in AD, the user
object is not explicitly referenced in the group
object if it’‘s their primary group. I’'ve had that
bite me a few times in the past while writing some
admin scripts. Since it’'s only used in a windows
environment for POSIX applications, we just set
everyone to “Domain User” as their primary group. But
I guess you can’'t assume that everyone will be set up
that way. So that throws another wrench in the
works because we then have to do a subtree search for
every user whose primary group is the one we’'re
interested in.
Great point. I wasn’'t aware of that functionality in AD. So basically to support a Posix-compatible schema, we would need to support a secondary group of queries to search all user objects to see if the group is their primary group. Assuming we could use the same query to find the group object that I posted earlier, how about these parameters: (1) attribute for group ID and (2) query to check for primary group of users. Posix example:
-
gidNumber
-
(&(objectClass=Person)(gidNumber=))
How’'s that sound?
Another thought occurred to me. What about nested
groups? How are those handled in POSIX versus AD? I
found this code to quickly test membership of a user
object in AD against a top-level group and it will
also search all nested groups as well.
While we don’'t necessarily need to test membership in
a group (unless we want another feature request to
replace the admin users hardcoded in the JM config
with an LDAP group), we need to get all members in a
group and I’'m assuming all nested groups as well.
Doing this efficiently is not trivial from what I can
tell.
My work on doing nested groups was in Perl and I just
kept a cache of the groups as I went as well as some
rudimentary recursion checking to make sure we don’'t
end up in a loop (nested group having a higher-level
group nested in itself causing an infinite loop).
Hmm…we don’'t use nested groups here. Once basic group support is added, we could wait for someone to complain about nested groups.
Message was edited by:
hrothgar
Fixed an important typo; it’'s in bold.