Re: memberOf attribute

[Michael Ströder <michael@stroeder.com>]

Adam Tauno Williams wrote:
> 
> >>>I think I've seen the "memberOf "attribute in both ADS and
> >>>iPlanet. It appears to be the converse of "member", and I believe it gets
> >>>updated when you add a member to a group.
> >>>Are there plans to add this sort of functionality into OpenLDAP?
> >>I don't think so. It seems that the philosophy of LDAP (and of
> >>OpenLDAP) is not to muck with data, that is the server will hold any
> >>information you send in, but it will not change it nor check its consistency
> >>besides syntax and schema.  What you're talking about should better
> >>be done by a wise client.
> >I would also not recommend to implement this at the client-side.
> >Changing group membership would require modifying two entries which
> >would have to be encapsulated in a transaction at the client's side.
> >Not to speak of concurrent access of misbehaving clients rewriting
> >old attributes and such.
> >Not sure how MS AD implements it. Probably not through LDAP I guess.
> 
> If you were using something like the back-sql module you could use the
> referential integrity (and triggers, etc...) of the database, yes?

Maybe.

But if you can make such kind of strong assumptions (e.g. about the
DB-backend used) you might implement a correctly working solution at
the LDAP client's side more easy.

Ciao, Michael.