Managing Groups in LDAP
By Mark Wilcox
Not so long ago, Lightweight Directory Access Protocol (LDAP) was merely a nice idea—it has quickly developed into a widespread tool. Every major OS now has LDAP available for it, either natively (Novell NDS or Microsoft Active Directory) or via a third party (Netscape Directory Server or the OpenLDAP server).
Managing groups in LDAP is a frequent topic of consternation on LDAP newsgroups and mailing lists. Even the most current versions of popular LDAP clients (such as LDAP-aware address books) don't handle LDAP groups properly. An LDAP group is simply a collection of LDAP entries. Because an LDAP entry can represent any type of object, you can have groups that represent a collection of anything. Thus, you can have a group of people, a group of printers, a group of routers, a group of software applications, and so on.
In practical terms, groups are useful because they let you treat a collection of entries as one. For example, at the University of North Texas where I work we must often restrict Web-site access to students in a certain class. Instead of entering each student's user ID into my Web server's access control list (ACL), I can simply enter the name of an LDAP group that I have set up that contains all of the students in that class.
While the concept is pretty easy to grasp, actually learning how to use LDAP groups in your applications can be more difficult.
Group Management
LDAP groups are tricky to use, particularly for the novice LDAP user, for many reasons.
