Thank you Stefan, I will try out the 1.1 for returnedAttributes. Regarding the user-group membership, with "member" set on the group entries as you advised, what would be the easiest means to find "all groups a user belongs to" ? The Atn provider I am trying to write a test for has group filtering support the currently relies on an attribute being set on the user entry to that maps to a group it is part of. This attribute by default is "memberOf". Should the provider code be changed to find groups the other way?
Thanks Naveen On Thu, Oct 22, 2015 at 2:38 PM, Stefan Seelmann <m...@stefan-seelmann.de> wrote: > On 10/22/2015 08:15 PM, Naveen Gangam wrote: > > Hi Emmauel, > > Thanks for the info. > > > > I am not certain with what the most reliable attribute name is across all > > LDAP implementations but I thought it was "dn" until I saw some Active > > Directory DIT's, dn was not used at all. It was "distinguishedName" > > instead. > > > > Hive's Atn provider performs ldap searches for groups/users based on > object > > class but only retrieves the "distinguishedName" from the matching ldap > > entries (to save bandwidth in retrieving all the attribute values for > > matching ldap entries). > > > > But in your opinion, is attribute "dn" more of a standard? > > The "dn" is always the first line in an LDIF record, however it is not > an attribute but its the entry's name. If you only want to retireve the > dn of an entry without any attribute you can set the list of returned > attributes to "1.1", then only the dn is retrieved. Don't deal with "dn" > or "distinguishedName" attribute. > > > Also how do I define Groups and assign users to groups with ApacheDS? > > memberOf does not seem to work. > > > > "dn: cn=user2,ou=People,dc=example,dc=com", > > "objectClass: inetOrgPerson", > > "objectClass: person", > > "objectClass: top", > > "givenName: Test2", > > "cn: Test User2", > > "sn: user2", > > "uid: user2", > > "userPassword: user2", > > "memberOf: cn=group2,ou=groups,dc=example,dc=com" > > ApacheDS does not support memberOf attribute. You have to do it the > other way around: Create a group object and add the user's dn as > "member" there. Like this (untested): > > dn: cn=group2,ou=groups,dc=example,dc=com > objectclass: groupOfNames > objectclass: top > cn: group2 > member: cn=user2,ou=People,dc=example,dc=com > > Kind Regards, > Stefan > >
