[Date Prev][Date Next]
Re: memberOf attribute
OpenLDAP Mailing List wrote:
> We have a similar problem here. We need to list the cn of each group
> member. Without a memberOf attribute, the process is:
> 1. Open group object.
> 2. Iterate though each member: attribute and open each user object to
> extact DN.
> This results in n+1 searches for n group members.
> With memberof, it is a single, simple query:
> (&(objectclass=person)(memberof=<group dn>)), asking for DN and CN
> The second case is much faster (assuming you make an equality index on
> The hard part is assuring referential integrity. We do this wth an OO
> abstraction above LDAP, but without transactionalism, it is quite
> difficult unless you are prepared to write a large amount of code.
> Transactions make things much nicer.
> I also schedule a cron process that ensures all the reverse indices are
> corrent, respecting the authoritative object in all cases.
Again, I think this use of the memberOf attribute is fine, but its
update should be on the client side, not on the server side. For such
feature you may define a (dn syntax) attribute of your own.
Dr. Pierangelo Masarati | voice: +39 02 2399 8309
Dip. Ing. Aerospaziale | fax: +39 02 2399 8334
Politecnico di Milano | mailto:firstname.lastname@example.org
via La Masa 34, 20156 Milano, Italy |