You are here

Home » API reference » Lightweight Directory Access Protocol (LDAP) 7

DeriveFromEntry.notes.txt in Lightweight Directory Access Protocol (LDAP) 7 

========================================
Derive From Entry Configuration Options:
========================================
0. Use Derive from Entry
Property: authorization.deriveFromEntry as boolean

1a. List of groups' ldap entry attribute values.  Can be cn, uid, dn etc. of the entry.   These entries contain multivalued attributes which are member users or nested groups.
Property:  authorization.deriveFromEntryEntries as array of ldap entry attributes
e.g.: array('cn=it,cn=groups,dc=ad,dc=myuniversity,dc=edu', 'cn=people,cn=groups,dc=ad,dc=myuniversity,dc=edu')
e.g.: array('it', 'people')

1b. Attribute who's value is contained in 1a.  This pair will be used to search from group entries.
Property:  authorization.deriveFromEntryEntriesAttr as LDAP attribute name
e.g. 'dn', 'cn', ...

2. Name of multivalued attribute whose value contains members.
Property:  authorization.deriveFromEntryMembershipAttr as LDAP attribute name
e.g.: 'uniquemember', 'member'

3. User's LDAP Entry Attribute which will be held in deriveFromEntryMembershipAttr
Property: authorization.deriveFromEntryAttrMatchingUserAttr as LDAP attribute name
e.g.: 'dn', 'cn'

4. Search all enabled LDAP servers for matching users
Property: authorization.deriveFromEntrySearchAll as boolean

5. Include nested groups.
Property: authorization.deriveFromEntryNested: boolean

6. Convert full dn to value of first attribute.
Property: authorization.deriveFromEntryUseFirstAttr: boolean

7. Class of entries that represent groupgs.
Property: server.groupObjectClass as LDAP attribute value held in objectClass.
e.g.: 'groupOfUniqueNames', 'group'


========================================
Derive From Entry walk-through NOT nested:
========================================

--- configuration ------
0. authorization.deriveFromEntry = 1
1. authorization.deriveFromEntryEntries = array('cn=it,cn=groups,dc=ad,dc=myuniversity,dc=edu', 'cn=people,cn=groups,dc=ad,dc=myuniversity,dc=edu')
1b. authorization.deriveFromEnryEntryAttribute' = 'distinguishedname'
2. authorization.deriveFromEntryMembershipAttr = 'uniquemember'
3. authorization.deriveFromEntryAttrMatchingUserAttr = 'dn'
4. authorization.deriveFromEntrySearchAll = 0
5. authorization.deriveFromEntryNested = 0
6. authorization.deriveFromEntryUseFirstAttr = 1
7. server.groupObjectClass = 'groupOfUniqueNames'

user ldap entry in question:
  'dn' => 'uid=joeprogrammer,ou=it,dc=ad,dc=myuniversity,dc=edu',
  'cn' => 'joeprogrammer',
  'uid' => 'joeprogrammer',
  'mail' => array( 0 => 'joeprogrammer@myuniversity.edu'),
  'uid' => array( 0 => 'joeprogrammer'),


--- walk-through ------
1). foreach base dn, execute the following query:

(&
(objectClass=groupOfUniqueNames)
(|(distinguishedname=cn=it,cn=groups,dc=ad,dc=myuniversity,dc=edu)(distinguishedname=people,cn=groups,dc=ad,dc=myuniversity,dc=edu))
(uniquemember=cn=joeprogrammer,ou=it,dc=ad,dc=myuniversity,dc=edu)
)

in psuedo code:
(&
(objectClass=[server.groupObjectClass])
(|([authorization.deriveFromEnryEntryAttribute]=[authorization.deriveFromEntryEntries[i]])...([authorization.deriveFromEnryEntryAttribute]=[authorization.deriveFromEntryEntries[n]]))
([authorization.deriveFromEntryMembershipAttr]=[user_ldap_entry[deriveFromEntryAttrMatchingUserAttr]])
)


2. All entries returned represent groups that user is a member of.
Their DNs are added to the list of authorizations or the first attribute value
if authorization.deriveFromEntryUseFirstAttr is true.


========================================
Derive From Entry walk-through NESTED:
========================================

--- configuration ------
0. authorization.deriveFromEntry = 1
1. authorization.deriveFromEntryEntries = array('cn=it,cn=groups,dc=ad,dc=myuniversity,dc=edu', 'cn=people,cn=groups,dc=ad,dc=myuniversity,dc=edu')
1b. authorization.deriveFromEnryEntryAttribute = 'distinguishedname'
2. authorization.deriveFromEntryMembershipAttr = 'uniquemember'
3. authorization.deriveFromEntryAttrMatchingUserAttr = 'dn'
4. authorization.deriveFromEntrySearchAll = 0
5. authorization.deriveFromEntryNested = 1
6. authorization.deriveFromEntryUseFirstAttr = 1
7. server.groupObjectClass = 'groupOfUniqueNames'

user ldap entry in question:
  'dn' => 'uid=joeprogrammer,ou=it,dc=ad,dc=myuniversity,dc=edu',
  'mail' => array( 0 => 'joeprogrammer@myuniversity.edu'),
  'uid' => array( 0 => 'joeprogrammer'),


--- walk-through ------
1). foreach base dn, execute the following query:

(&
(objectClass=groupOfUniqueNames)
(|(distinguishedname=cn=it,cn=groups,dc=ad,dc=myuniversity,dc=edu)(cn=people,cn=groups,dc=ad,dc=myuniversity,dc=edu))
)

in psuedo code:
(&
(objectClass=[server.groupObjectClass])
(|([authorization.deriveFromEnryEntryAttribute]=[authorization.deriveFromEntryEntries[i]])...([authorization.deriveFromEnryEntryAttribute]=[authorization.deriveFromEntryEntries[n]]))
)


2. All entries returned represent groups that user MIGHT be a member of.  examples:

  'dn' => 'cn=it,cn=groups,dc=ad,dc=myuniversity,dc=edu',
  'objectclass' => array( 0 => 'groupofuniquenames'),
  'uniquemember' => array(
    0 => 'cn=developers,cn=groups,dc=ad,dc=myuniversity,dc=edu',
    1 => 'cn=sysadmins,cn=groups,dc=ad,dc=myuniversity,dc=edu',
    2 => 'uid=joeprojectmanager,ou=it,dc=ad,dc=myuniversity,dc=edu',
  ),

  'dn' => 'cn=people,cn=groups,dc=ad,dc=myuniversity,dc=edu',
  'objectclass' => array( 0 => 'groupofuniquenames'),
  'uniquemember' => array(
     0 => 'cn=students,cn=groups,dc=ad,dc=myuniversity,dc=edu',
     1 => 'cn=staff,cn=groups,dc=ad,dc=myuniversity,dc=edu',
  ),




3. foreach returned entry from query 1. (authorization.deriveFromEntryEntries):

  if 'uniquemember' contains a value matching 'uid=joeprogrammer,ou=it,dc=ad,dc=myuniversity,dc=edu', add that entry's DN to authorizations
  in psuedo code: if group[authorization.deriveFromEntryMembershipAttr] contains user[authorization.deriveFromEntryAttrMatchingUserAttr],
  add corresponding authorization.deriveFromEntryEntries entry to authorizations


  else recurse through uniquemembers.  if user's entry is found, add corresponding
  authorization.deriveFromEntryEntries entry to authorizations
  (not the DN that has the user in uniquemembers)


4A.  recursion:

In the above example the first recursion query looks like:
(&
  (objectClass=groupofuniquenames)
  (|
    (distinguishedname=cn=developers,cn=groups,dc=ad,dc=myuniversity,dc=edu)
    (distinguishedname=cn=sysadmins,cn=groups,dc=ad,dc=myuniversity,dc=eduu)
    (distinguishedname=uid=joeprojectmanager,ou=it,dc=ad,dc=myuniversity,dc=edu)
  )
)

which might return:

    'dn' => 'cn=developers,cn=groups,dc=ad,dc=myuniversity,dc=edu',
    'objectclass' => array( 0 => 'groupofuniquenames'),
    'uniquemember' => array(
      0 => 'uid=joeprogrammer,ou=it,dc=ad,dc=myuniversity,dc=edu',
    ),

    'dn' => 'cn=sysadmins,cn=groups,dc=ad,dc=myuniversity,dc=edu',
    'objectclass' => array( 0 => 'groupofuniquenames'),
    'uniquemember' => array(
      0 => 'uid=joeprogrammer,ou=it,dc=ad,dc=myuniversity,dc=edu',
      1 => 'cn=sysadmins,cn=groups,dc=ad,dc=myuniversity,dc=edu',
    ),

since uid=joeprogrammer,ou=it,dc=ad,dc=myuniversity,dc=edu is found in the first entry,
  cn=it,cn=groups,dc=ad,dc=myuniversity,dc=edu (the ancestor group) is added
  to the list of authorizations.
  Since authorization.deriveFromEntryUseFirstAttr = 1, its truncated to "it"


4B.  In the above example the second recursion query would look like:

(&
  (objectClass=groupofuniquenames)
  (|
    (distinguishedname=cn=students,cn=groups,dc=ad,dc=myuniversity,dc=edu)
    (distinguishedname=cn=staff,cn=groups,dc=ad,dc=myuniversity,dc=edu)
  )
)

which returns:

    'dn' => 'cn=staff,cn=groups,dc=ad,dc=myuniversity,dc=edu',
    'objectclass' => array( 0 => 'groupofuniquenames'),
    'uniquemember' => array(
      0 => 'cn=it,cn=groups,dc=ad,dc=myuniversity,dc=edu',
      1 => 'uid=unkool,ou=lost,dc=ad,dc=myuniversity,dc=edu',
    ),


    'dn' => 'cn=students,cn=groups,dc=ad,dc=myuniversity,dc=edu',
    'objectclass' => array( 0 => 'groupofuniquenames'),
    'uniquemember' => array(
      0 => 'uid=jdoe,ou=campus accounts,dc=ad,dc=myuniversity,dc=edu',
    ),

4C. leading to the queries:

(&
  (objectClass=groupofuniquenames)
  (|
    (distinguishedname=uid=jdoe,ou=campus accounts,dc=ad,dc=myuniversity,dc=edu)
  )
)
...which returns no entries

and
4D.
(&
  (objectClass=groupofuniquenames)
  (|
    (distinguishedname=cn=it,cn=groups,dc=ad,dc=myuniversity,dc=edu)
    (distinguishedname=uid=unkool,ou=lost,dc=ad,dc=myuniversity,dc=edu)
  )
)

which returns:

  'dn' => 'cn=it,cn=groups,dc=ad,dc=myuniversity,dc=edu',
  'objectclass' => array( 0 => 'groupofuniquenames'),
  'uniquemember' => array(

    0 => 'cn=developers,cn=groups,dc=ad,dc=myuniversity,dc=edu',
    1 => 'cn=sysadmins,cn=groups,dc=ad,dc=myuniversity,dc=edu',
    2 => 'uid=joeprojectmanager,ou=it,dc=ad,dc=myuniversity,dc=edu',
  ),

4E. leading to the query:

  (&
    (objectClass=groupofuniquenames)
    (|
      (distinguishedname=cn=developers,cn=groups,dc=ad,dc=myuniversity,dc=edu)
      (distinguishedname=cn=sysadmins,cn=groups,dc=ad,dc=myuniversity,dc=edu)
      (distinguishedname=uid=joeprojectmanager,ou=it,dc=ad,dc=myuniversity,dc=edu)
    )
  )

which returns:

  'dn' => 'cn=developers,cn=groups,dc=ad,dc=myuniversity,dc=edu',
  'objectclass' => array( 0 => 'groupofuniquenames'),
  'uniquemember' => array(
    0 => 'uid=joeprogrammer,ou=it,dc=ad,dc=myuniversity,dc=edu',
  ),

  'dn' => 'cn=sysadmins,cn=groups,dc=ad,dc=myuniversity,dc=edu',
  'objectclass' => array( 0 => 'groupofuniquenames'),
  'uniquemember' => array(
    0 => 'uid=joeprogrammer,ou=it,dc=ad,dc=myuniversity,dc=edu',
    1 => 'cn=sysadmins,cn=groups,dc=ad,dc=myuniversity,dc=edu',
  ),

since uid=joeprogrammer,ou=it,dc=ad,dc=myuniversity,dc=edu is found in the first entry,
cn=people,cn=groups,dc=ad,dc=myuniversity,dc=edu (the ancestor group)
is added to the list of authorizations.
Since authorization.deriveFromEntryUseFirstAttr = 1, its truncated to "people"


==================================================================

File

ldap_authorization/tests/DeriveFromEntry/DeriveFromEntry.notes.txt
View source 
  1. 

  2. ========================================

  3. Derive From Entry Configuration Options:

  4. ========================================

  5. 0. Use Derive from Entry

  6. Property: authorization.deriveFromEntry as boolean

  7. 

  8. 1a. List of groups' ldap entry attribute values.  Can be cn, uid, dn etc. of the entry.   These entries contain multivalued attributes which are member users or nested groups.

  9. Property:  authorization.deriveFromEntryEntries as array of ldap entry attributes

  10. e.g.: array('cn=it,cn=groups,dc=ad,dc=myuniversity,dc=edu', 'cn=people,cn=groups,dc=ad,dc=myuniversity,dc=edu')

  11. e.g.: array('it', 'people')

  12. 

  13. 1b. Attribute who's value is contained in 1a.  This pair will be used to search from group entries.

  14. Property:  authorization.deriveFromEntryEntriesAttr as LDAP attribute name

  15. e.g. 'dn', 'cn', ...

  16. 

  17. 2. Name of multivalued attribute whose value contains members.

  18. Property:  authorization.deriveFromEntryMembershipAttr as LDAP attribute name

  19. e.g.: 'uniquemember', 'member'

  20. 

  21. 3. User's LDAP Entry Attribute which will be held in deriveFromEntryMembershipAttr

  22. Property: authorization.deriveFromEntryAttrMatchingUserAttr as LDAP attribute name

  23. e.g.: 'dn', 'cn'

  24. 

  25. 4. Search all enabled LDAP servers for matching users

  26. Property: authorization.deriveFromEntrySearchAll as boolean

  27. 

  28. 5. Include nested groups.

  29. Property: authorization.deriveFromEntryNested: boolean

  30. 

  31. 6. Convert full dn to value of first attribute.

  32. Property: authorization.deriveFromEntryUseFirstAttr: boolean

  33. 

  34. 7. Class of entries that represent groupgs.

  35. Property: server.groupObjectClass as LDAP attribute value held in objectClass.

  36. e.g.: 'groupOfUniqueNames', 'group'

  37. 

  38. 

  39. ========================================

  40. Derive From Entry walk-through NOT nested:

  41. ========================================

  42. 

  43. --- configuration ------

  44. 0. authorization.deriveFromEntry = 1

  45. 1. authorization.deriveFromEntryEntries = array('cn=it,cn=groups,dc=ad,dc=myuniversity,dc=edu', 'cn=people,cn=groups,dc=ad,dc=myuniversity,dc=edu')

  46. 1b. authorization.deriveFromEnryEntryAttribute' = 'distinguishedname'

  47. 2. authorization.deriveFromEntryMembershipAttr = 'uniquemember'

  48. 3. authorization.deriveFromEntryAttrMatchingUserAttr = 'dn'

  49. 4. authorization.deriveFromEntrySearchAll = 0

  50. 5. authorization.deriveFromEntryNested = 0

  51. 6. authorization.deriveFromEntryUseFirstAttr = 1

  52. 7. server.groupObjectClass = 'groupOfUniqueNames'

  53. 

  54. user ldap entry in question:

  55.   'dn' => 'uid=joeprogrammer,ou=it,dc=ad,dc=myuniversity,dc=edu',

  56.   'cn' => 'joeprogrammer',

  57.   'uid' => 'joeprogrammer',

  58.   'mail' => array( 0 => 'joeprogrammer@myuniversity.edu'),

  59.   'uid' => array( 0 => 'joeprogrammer'),

  60. 

  61. 

  62. --- walk-through ------

  63. 1). foreach base dn, execute the following query:

  64. 

  65. (&

  66. (objectClass=groupOfUniqueNames)

  67. (|(distinguishedname=cn=it,cn=groups,dc=ad,dc=myuniversity,dc=edu)(distinguishedname=people,cn=groups,dc=ad,dc=myuniversity,dc=edu))

  68. (uniquemember=cn=joeprogrammer,ou=it,dc=ad,dc=myuniversity,dc=edu)

  69. )

  70. 

  71. in psuedo code:

  72. (&

  73. (objectClass=[server.groupObjectClass])

  74. (|([authorization.deriveFromEnryEntryAttribute]=[authorization.deriveFromEntryEntries[i]])...([authorization.deriveFromEnryEntryAttribute]=[authorization.deriveFromEntryEntries[n]]))

  75. ([authorization.deriveFromEntryMembershipAttr]=[user_ldap_entry[deriveFromEntryAttrMatchingUserAttr]])

  76. )

  77. 

  78. 

  79. 2. All entries returned represent groups that user is a member of.

  80. Their DNs are added to the list of authorizations or the first attribute value

  81. if authorization.deriveFromEntryUseFirstAttr is true.

  82. 

  83. 

  84. ========================================

  85. Derive From Entry walk-through NESTED:

  86. ========================================

  87. 

  88. --- configuration ------

  89. 0. authorization.deriveFromEntry = 1

  90. 1. authorization.deriveFromEntryEntries = array('cn=it,cn=groups,dc=ad,dc=myuniversity,dc=edu', 'cn=people,cn=groups,dc=ad,dc=myuniversity,dc=edu')

  91. 1b. authorization.deriveFromEnryEntryAttribute = 'distinguishedname'

  92. 2. authorization.deriveFromEntryMembershipAttr = 'uniquemember'

  93. 3. authorization.deriveFromEntryAttrMatchingUserAttr = 'dn'

  94. 4. authorization.deriveFromEntrySearchAll = 0

  95. 5. authorization.deriveFromEntryNested = 1

  96. 6. authorization.deriveFromEntryUseFirstAttr = 1

  97. 7. server.groupObjectClass = 'groupOfUniqueNames'

  98. 

  99. user ldap entry in question:

  100.   'dn' => 'uid=joeprogrammer,ou=it,dc=ad,dc=myuniversity,dc=edu',

  101.   'mail' => array( 0 => 'joeprogrammer@myuniversity.edu'),

  102.   'uid' => array( 0 => 'joeprogrammer'),

  103. 

  104. 

  105. --- walk-through ------

  106. 1). foreach base dn, execute the following query:

  107. 

  108. (&

  109. (objectClass=groupOfUniqueNames)

  110. (|(distinguishedname=cn=it,cn=groups,dc=ad,dc=myuniversity,dc=edu)(cn=people,cn=groups,dc=ad,dc=myuniversity,dc=edu))

  111. )

  112. 

  113. in psuedo code:

  114. (&

  115. (objectClass=[server.groupObjectClass])

  116. (|([authorization.deriveFromEnryEntryAttribute]=[authorization.deriveFromEntryEntries[i]])...([authorization.deriveFromEnryEntryAttribute]=[authorization.deriveFromEntryEntries[n]]))

  117. )

  118. 

  119. 

  120. 2. All entries returned represent groups that user MIGHT be a member of.  examples:

  121. 

  122.   'dn' => 'cn=it,cn=groups,dc=ad,dc=myuniversity,dc=edu',

  123.   'objectclass' => array( 0 => 'groupofuniquenames'),

  124.   'uniquemember' => array(

  125.     0 => 'cn=developers,cn=groups,dc=ad,dc=myuniversity,dc=edu',

  126.     1 => 'cn=sysadmins,cn=groups,dc=ad,dc=myuniversity,dc=edu',

  127.     2 => 'uid=joeprojectmanager,ou=it,dc=ad,dc=myuniversity,dc=edu',

  128.   ),

  129. 

  130.   'dn' => 'cn=people,cn=groups,dc=ad,dc=myuniversity,dc=edu',

  131.   'objectclass' => array( 0 => 'groupofuniquenames'),

  132.   'uniquemember' => array(

  133.      0 => 'cn=students,cn=groups,dc=ad,dc=myuniversity,dc=edu',

  134.      1 => 'cn=staff,cn=groups,dc=ad,dc=myuniversity,dc=edu',

  135.   ),

  136. 

  137. 

  138. 

  139. 

  140. 3. foreach returned entry from query 1. (authorization.deriveFromEntryEntries):

  141. 

  142.   if 'uniquemember' contains a value matching 'uid=joeprogrammer,ou=it,dc=ad,dc=myuniversity,dc=edu', add that entry's DN to authorizations

  143.   in psuedo code: if group[authorization.deriveFromEntryMembershipAttr] contains user[authorization.deriveFromEntryAttrMatchingUserAttr],

  144.   add corresponding authorization.deriveFromEntryEntries entry to authorizations

  145. 

  146. 

  147.   else recurse through uniquemembers.  if user's entry is found, add corresponding

  148.   authorization.deriveFromEntryEntries entry to authorizations

  149.   (not the DN that has the user in uniquemembers)

  150. 

  151. 

  152. 4A.  recursion:

  153. 

  154. In the above example the first recursion query looks like:

  155. (&

  156.   (objectClass=groupofuniquenames)

  157.   (|

  158.     (distinguishedname=cn=developers,cn=groups,dc=ad,dc=myuniversity,dc=edu)

  159.     (distinguishedname=cn=sysadmins,cn=groups,dc=ad,dc=myuniversity,dc=eduu)

  160.     (distinguishedname=uid=joeprojectmanager,ou=it,dc=ad,dc=myuniversity,dc=edu)

  161.   )

  162. )

  163. 

  164. which might return:

  165. 

  166.     'dn' => 'cn=developers,cn=groups,dc=ad,dc=myuniversity,dc=edu',

  167.     'objectclass' => array( 0 => 'groupofuniquenames'),

  168.     'uniquemember' => array(

  169.       0 => 'uid=joeprogrammer,ou=it,dc=ad,dc=myuniversity,dc=edu',

  170.     ),

  171. 

  172.     'dn' => 'cn=sysadmins,cn=groups,dc=ad,dc=myuniversity,dc=edu',

  173.     'objectclass' => array( 0 => 'groupofuniquenames'),

  174.     'uniquemember' => array(

  175.       0 => 'uid=joeprogrammer,ou=it,dc=ad,dc=myuniversity,dc=edu',

  176.       1 => 'cn=sysadmins,cn=groups,dc=ad,dc=myuniversity,dc=edu',

  177.     ),

  178. 

  179. since uid=joeprogrammer,ou=it,dc=ad,dc=myuniversity,dc=edu is found in the first entry,

  180.   cn=it,cn=groups,dc=ad,dc=myuniversity,dc=edu (the ancestor group) is added

  181.   to the list of authorizations.

  182.   Since authorization.deriveFromEntryUseFirstAttr = 1, its truncated to "it"

  183. 

  184. 

  185. 4B.  In the above example the second recursion query would look like:

  186. 

  187. (&

  188.   (objectClass=groupofuniquenames)

  189.   (|

  190.     (distinguishedname=cn=students,cn=groups,dc=ad,dc=myuniversity,dc=edu)

  191.     (distinguishedname=cn=staff,cn=groups,dc=ad,dc=myuniversity,dc=edu)

  192.   )

  193. )

  194. 

  195. which returns:

  196. 

  197.     'dn' => 'cn=staff,cn=groups,dc=ad,dc=myuniversity,dc=edu',

  198.     'objectclass' => array( 0 => 'groupofuniquenames'),

  199.     'uniquemember' => array(

  200.       0 => 'cn=it,cn=groups,dc=ad,dc=myuniversity,dc=edu',

  201.       1 => 'uid=unkool,ou=lost,dc=ad,dc=myuniversity,dc=edu',

  202.     ),

  203. 

  204. 

  205.     'dn' => 'cn=students,cn=groups,dc=ad,dc=myuniversity,dc=edu',

  206.     'objectclass' => array( 0 => 'groupofuniquenames'),

  207.     'uniquemember' => array(

  208.       0 => 'uid=jdoe,ou=campus accounts,dc=ad,dc=myuniversity,dc=edu',

  209.     ),

  210. 

  211. 4C. leading to the queries:

  212. 

  213. (&

  214.   (objectClass=groupofuniquenames)

  215.   (|

  216.     (distinguishedname=uid=jdoe,ou=campus accounts,dc=ad,dc=myuniversity,dc=edu)

  217.   )

  218. )

  219. ...which returns no entries

  220. 

  221. and

  222. 4D.

  223. (&

  224.   (objectClass=groupofuniquenames)

  225.   (|

  226.     (distinguishedname=cn=it,cn=groups,dc=ad,dc=myuniversity,dc=edu)

  227.     (distinguishedname=uid=unkool,ou=lost,dc=ad,dc=myuniversity,dc=edu)

  228.   )

  229. )

  230. 

  231. which returns:

  232. 

  233.   'dn' => 'cn=it,cn=groups,dc=ad,dc=myuniversity,dc=edu',

  234.   'objectclass' => array( 0 => 'groupofuniquenames'),

  235.   'uniquemember' => array(

  236. 

  237.     0 => 'cn=developers,cn=groups,dc=ad,dc=myuniversity,dc=edu',

  238.     1 => 'cn=sysadmins,cn=groups,dc=ad,dc=myuniversity,dc=edu',

  239.     2 => 'uid=joeprojectmanager,ou=it,dc=ad,dc=myuniversity,dc=edu',

  240.   ),

  241. 

  242. 4E. leading to the query:

  243. 

  244.   (&

  245.     (objectClass=groupofuniquenames)

  246.     (|

  247.       (distinguishedname=cn=developers,cn=groups,dc=ad,dc=myuniversity,dc=edu)

  248.       (distinguishedname=cn=sysadmins,cn=groups,dc=ad,dc=myuniversity,dc=edu)

  249.       (distinguishedname=uid=joeprojectmanager,ou=it,dc=ad,dc=myuniversity,dc=edu)

  250.     )

  251.   )

  252. 

  253. which returns:

  254. 

  255.   'dn' => 'cn=developers,cn=groups,dc=ad,dc=myuniversity,dc=edu',

  256.   'objectclass' => array( 0 => 'groupofuniquenames'),

  257.   'uniquemember' => array(

  258.     0 => 'uid=joeprogrammer,ou=it,dc=ad,dc=myuniversity,dc=edu',

  259.   ),

  260. 

  261.   'dn' => 'cn=sysadmins,cn=groups,dc=ad,dc=myuniversity,dc=edu',

  262.   'objectclass' => array( 0 => 'groupofuniquenames'),

  263.   'uniquemember' => array(

  264.     0 => 'uid=joeprogrammer,ou=it,dc=ad,dc=myuniversity,dc=edu',

  265.     1 => 'cn=sysadmins,cn=groups,dc=ad,dc=myuniversity,dc=edu',

  266.   ),

  267. 

  268. since uid=joeprogrammer,ou=it,dc=ad,dc=myuniversity,dc=edu is found in the first entry,

  269. cn=people,cn=groups,dc=ad,dc=myuniversity,dc=edu (the ancestor group)

  270. is added to the list of authorizations.

  271. Since authorization.deriveFromEntryUseFirstAttr = 1, its truncated to "people"

  272. 

  273. 

  274. ==================================================================