[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: memberOf attribute

Pierangelo Masarati <masarati@aero.polimi.it> writes:

> > Jeff Costlow wrote:
> > 
> > I think I've seen the "memberOf "attribute in both ADS and iPlanet.
> > It appears to be the converse of "member", and I believe it gets
> > updated when you add a member to a group.
> > 
> > Are there plans to add this sort of functionality into OpenLDAP?
> I don't think so. It seems that the philosophy of LDAP (and of OpenLDAP) 
> is not to muck with data, that is the server will hold any information
> you send in, but it will not change it nor check its consistency
> besides syntax and schema.

Besides, it is impossible to do in the general case because of
operational and security reasons.  An entry may be a member of a group
that is under completely different administration than that of the
entry itself.

As soon as you think of a distributed directory a la DNS, built by
linking products of different manufacturers and owned and operated by
different, possibly untrusting, parties these things become very hard.

And all operations that affect several entries, like tree renames,
pose problems with replication protocols.  Now, that is a different
can of worms, of course...

That's why only closed systems support these things.

Now, they would be nice on OpenLDAP too, but applications that depend
on LDAP servers behaving like that are rather broken...