aproppon wrote:
> I'm makaing a application where users group can be
changed by admin. User
> can have a membership to only one group.
This is not a condition LDAP by itself will help you
enforce, unless
memberships are recorded with the user in a single-valued
attribute
which would be unusual.
> Adding users to groups is easy
> with a kind of solution from addUserToGroup.java but
changing users group
> membership is a bit harder. I know that using REPLACE
ruins all in group
> modification, so I need to first find the group
uniqueMember and
> securityEquals attributes and modify them with
> removeValue(userdn_which_may_be_in_the_group_allready).
Am I correct or is
> there a easier way?
I'm not positive I understand. If you can bring the current
members into
memory and then add your additional member dn, using replace
with the
resulting new set of values should work fine. Note LDAP does
support add
operations, too.
> All so I'd like to know what's the correct
objectclass for a group
> (groupOfName or groupOfUniqueName or some other)?
I believe groupOfNames is preferred because it uses more
conventional
attribute syntax.
> I need this when
> searchin those group attributes?
Not necessarily. Filtering on objectclass is necessary only
when entries
of different classes are in the same search scope. However,
assuming
objectclass is indexed it doesn't hurt.
Jon Roberts
www.mentata.com
|