LDAP: can an organizational unit be a member of a group?

I was just wondering, for an LDAP structure, would it be possible for a group to have an organizational unit as a member? Or am I pretty much guaranteed that anything under a group object will either be a user or another group?

Also are the following guaranteed?

1) The parent of a user is either a group or organizational unit
2) The parent of a group is either a group or organizational unit
3) The parent of an organizational unit is a organizational unit or the root

Thanks, I'm still pretty new to LDAP.

ldap

2012-04-04 18:02
by kennyg

Using the groupOfUniqueNames objectClass, the optional multi-valued attribute uniqueMember may be any valid distinguished name, including a distinguished name where the any or all of the RDN components are ou or organizationalUnit.

organizationalUnit is an object class that does not allow uniqueMember. groupOfUniqueNames allows (or in some cases requires) uniqueMember. There would be no point in having a groupOfUniqueNames without uniqueMember entries. To summarize: 1) uniqueMember is allowed in entries that have the groupOfUniqueNames objectClass 2) uniqueMember must have a value of distinguishedName, therefore, if ou is an RDN in a distinguished name, it can be used as a value for uniqueMember - Terry Gardner 2012-04-11 14:35

That makes things a bit clearer but you earlier said that not all implementations require uniqueMember. Should I just assume that a proper implementation would mean that an entry is a member of a group if and only if it is listed as a uniqueMember? Also, I'm still having trouble understanding how I would go about identifying the location of subfolders. Should I just look at the folder's parent DN to find it's parent folder - kennyg 2012-04-11 15:49

Nvm, I've decided to just explore the LDAP one level at a time - kennyg 2012-04-13 16:57

No, an OU cannot be member of an LDAP group
(at least not in Windows Active Directory, which is the LDAP implementation I know and I'm talking about here)

Organizational units are containers that can contain other objects - security principals like user and computer accounts as well as groups.

Containers also cannot have any permissions assigned to them - they're not security principals, you cannot grant an OU rights on a file or directory or anything like that.

Groups can contain security principals as their members - other groups, users, or computers - but not containers. It wouldn't make sense to include containers, anyway - since those aren't "security principals", e.g. they cannot have any permissions assigned to them, so adding them to a group doesn't make any logical sense, either.

This is quite different from other directory systems - like Novell's NDS / eDirectory - where organization and OU's do have permissions (although I can't recall whether you could add those objects to group's membership list)

Also, you need to keep apart containment (a group or user is always contained in exactly one container) and group membership (a user can be member of many groups, but he's not contained by those groups - just member of them) - which are two totally different concepts.

2012-04-04 19:19
by marc_s

Thanks, a lot of info here. Still got a bunch to learn - kennyg 2012-04-11 14:05

Not true, and I've done it myself. Open AD users & computers console (dsa.msc). Select an OU on left side that has a sub-OU. Select a range of users and an OU in the right-hand pane. If the first item in the selected range is not an OU, you can use the Add To Group button in the toolbar. Both the group's member attribute and the OU's backlinked memberof attribute correctly populated - Chalky 2016-04-14 03:32

@Chalky it is just a glitch in the matrix.. I've meant UI. The members are not appears under "member" tab of the group - Pupsik 2018-09-16 08:00

LDAP: can an organizational unit be a member of a group?

see also