We have a similar problem here. We need to list the cn of each group
member. Without a memberOf attribute, the process is:
1. Open group object.
2. Iterate though each member: attribute and open each user object to
extact DN.
This results in n+1 searches for n group members.
With memberof, it is a single, simple query:
(&(objectclass=person)(memberof=<group dn>)), asking for DN and CN
attributes.
The second case is much faster (assuming you make an equality index on
memberOf).
The hard part is assuring referential integrity. We do this wth an OO
abstraction above LDAP, but without transactionalism, it is quite
difficult unless you are prepared to write a large amount of code.
Transactions make things much nicer.
I also schedule a cron process that ensures all the reverse indices are
corrent, respecting the authoritative object in all cases.
Kevin
-----Original Message-----
From: Jeff Costlow
Sent: Thu 11/15/2001 11:58 AM
To: openldap software
Cc:
Subject: memberOf attribute
I think I've seen the "memberOf "attribute in both ADS and
iPlanet. It appears to be the converse of "member", and I believe it
gets updated when you add a member to a group.
Are there plans to add this sort of functionality into OpenLDAP?
If not, is there anyother way I can quickly determine which groups a DN
is a memberOf without doing a server-side search?
Thanks
<<winmail.dat>>