I think the University Of Michigan made a class called umichPerson and you can find the "memberOfGroup" in it (I saw a note on that in a white paper somewhere).
Really interesting this discussion on memberOfGroup....
Louis-Steve Desjardins
Thank you.
I am doing some authorization work, and am definitely interested in creating dynamic groups. My client will be smart enough to do the work itself, I don't think a 2 way link maintained by the client would be necessary.
Is there an official OID for "memberOf" somewhere so that I don't have to create my own?
-----Original Message-----
From: Matt Pavlovich [mailto:Matthew.Pavlovich@algx.net]
Sent: Thursday, November 15, 2001 11:00 AM
To: Jeff Costlow
Cc: openldap software
Subject: Re: memberOf attribute
Jeff-
The memberof attribute is used quite extensively in iPlanet for "dynamic
groups". The idea is that from an application perspective, it can be
easier to manage groups using a "memberof" attribute on the user's
entry, rather than the a separate list under groups. It cuts down the
number of queries from two to one.The group entry looks like this:
cn: groupname
memberUrl: ldap:///o=base??sub?(memberof=groupname)
-or-
memberUrl:
ldap:///o=base??sub?(&(objectclass=person)(memberof=groupname))The application would have to know to run the query in order to build a
list of people in the group, which is a little more difficult than the
traditional style of storing each dn.Dynamic groups are great for application access control (given your app
is written to this). You can define groups for each function, or role
in the application, and managing the access per user can be much
simpilar. ie. Groups: cn=AppAdmin, cn=AppReadOnly, cn=AppWrite, etc..
Then use "memberof" on each of the user's entries, and you can easily
manage the access of users to applications, etc.In the end, it means a little more work on the client application side,
but managability is simplified, and it lends itself to having a cleaner
tree. When you delete a user, you automatically remove him from any
groups he has association.Dynamic groups are a handy tool to have in the tool box, the trick is
just realizing when it is best to use it.Matt Pavlovich
> Jeff Costlow wrote:
>
> I think I've seen the "memberOf "attribute in both ADS and iPlanet.
> It appears to be the converse of "member", and I believe it gets
> updated when you add a member to a group.
>
> Are there plans to add this sort of functionality into OpenLDAP?
> If not, is there anyother way I can quickly determine which groups a
> DN is a memberOf without doing a server-side search?
>
> Thanks