On Wed, 2007-09-19 at 11:46 +0100, Andrew Findlay wrote:On Wed, Sep 19, 2007 at 09:35:41AM +1000, Steven Legg wrote:
The advantage of *not* having nested groups is that it is sufficient to just read the values of the member attribute to determine group membership. If there are nested groups, then it is necessary to read each of the entries named in the values of the member attribute to see which of them, if any, are themselves groups. That could be a big performance hit for a group with a large set of members.Good point. Servers have more options here, but a client dealing with nested groups has to do a silly amount of work.
No, its not a good point, as that happens only if the designer of the directory decides to use this feature. If he so decides, he knows the limits and the problems he goes on doing that and it is his responsibility.
But how does a directory client know that the directory administrator is using nested groups in the member attribute ? It would have to read the entries listed in the member attribute to find out, so it incurs the overhead even if nested groups are not being used. On the other hand, the presence of a nestedGroup attribute is a dead giveaway, and also limits the amount work the client has to do when nested groups are being used.
Regards, Steven
_______________________________________________ Ldapext mailing list Ldapext@ietf.org https://www1.ietf.org/mailman/listinfo/ldapext