[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: memberOf attribute
OpenLDAP Mailing List wrote:
>
> We have a similar problem here. We need to list the cn of each group
> member. Without a memberOf attribute, the process is:
>
> 1. Open group object.
> 2. Iterate though each member: attribute and open each user object to
> extact DN.
>
> This results in n+1 searches for n group members.
>
> With memberof, it is a single, simple query:
> (&(objectclass=person)(memberof=<group dn>)), asking for DN and CN
> attributes.
>
> The second case is much faster (assuming you make an equality index on
> memberOf).
>
> The hard part is assuring referential integrity. We do this wth an OO
> abstraction above LDAP, but without transactionalism, it is quite
> difficult unless you are prepared to write a large amount of code.
> Transactions make things much nicer.
>
> I also schedule a cron process that ensures all the reverse indices are
> corrent, respecting the authoritative object in all cases.
Again, I think this use of the memberOf attribute is fine, but its
update should be on the client side, not on the server side. For such
feature you may define a (dn syntax) attribute of your own.
Pierangelo.
--
Dr. Pierangelo Masarati | voice: +39 02 2399 8309
Dip. Ing. Aerospaziale | fax: +39 02 2399 8334
Politecnico di Milano | mailto:masarati@aero.polimi.it
via La Masa 34, 20156 Milano, Italy |
http://www.aero.polimi.it/~masarati