On Thu, Sep 29, 2011 at 11:46 AM, Buchan Milne <[email protected]> wrote: > On Thursday, 29 September 2011 02:26:07 [email protected] wrote: >> I'm learning and testing different ways of configure my LDAP to handle >> multiple apps. I gave up on groupofnames because I couldn't get searches >> to pull out the Users in a Group. > > Then it seems your applications are brain-dead. > > Almost all applications supporting LDAP authentication support LDAP > authorization, with multiple models for retrieving group information and > memberships. Most of them support all of the following: > 1)groupOfNames-type groups > 2)posixGroup-type groups > 3)members indicated by memberOf attributes
We have application that even use the position of an element within the DIT for Authorization (e.g. user X is in department Y, or reports Z) We also use other attributes like user is external or internal. I mean, just in the regular schemas there are so many attributes ! any of these can be used for Authorization. -- Alejandro Imass
