[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: using groups in filters

To: Joeri van Ruth <Joeri.van.Ruth@dds-projects.nl>
Subject: Re: using groups in filters
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Wed, 18 Oct 2000 14:41:14 -0700
Cc: openldap-general@OpenLDAP.org
In-reply-to: <20001018114949.A26045@murray.dz.kantoor.dds.nl>

At 11:49 AM 10/18/00 +0200, Joeri van Ruth wrote:
>Is it possible to filter on group membership?  For example,
>finding all people in a group whose name contains the string
>"joeri"?

No. This would require a "join" capability which LDAP doesn't
offer.  You have to obtain the list members and test each
member to see if their name contains the string.  In the
general non-recursive group case, this requires 1+N protocol
operations (one search to read the list membership and one
search per member to test the assertion).  However, if you
assume all the users are within the same namingContext, you
can you can do this in 2 protocol operations (one search to
read the list membership and one search to find all entries
matching the assertion).

The LDAP design assumption, of course, is that group members
many not be related in any manner other then by their group
membership.  Each member and the group could be held on a
different server... and the group might contain other groups...
and you might have referential loops, dangling references, and
other cases requiring special attention.

Kurt

References:
- using groups in filters
  - From: Joeri van Ruth <Joeri.van.Ruth@dds-projects.nl>

Prev by Date: Re: Implementing organizational "accounts" with LDAP
Next by Date: user autheniticate by openldap
Index(es):
- Chronological
- Thread