[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: memberOf attribute



OpenLDAP Mailing List wrote:
> 
> We have a similar problem here. We need to list the cn of each group
> member. Without a memberOf attribute, the process is:
> 
> 1. Open group object.
> 2. Iterate though each member: attribute and open each user object to
> extact DN.
> 
> This results in n+1 searches for n group members.
> 
> With memberof, it is a single, simple query:
>     (&(objectclass=person)(memberof=<group dn>)), asking for DN and CN
> attributes.
> 
> The second case is much faster (assuming you make an equality index on
> memberOf).
> 
> The hard part is assuring referential integrity. We do this wth an OO
> abstraction above LDAP, but without transactionalism, it is quite
> difficult unless you are prepared to write a large amount of code.
> Transactions make things much nicer.
> 
> I also schedule a cron process that ensures all the reverse indices are
> corrent, respecting the authoritative object in all cases.

Again, I think this use of the memberOf attribute is fine, but its 
update should be on the client side, not on the server side. For such 
feature you may define a (dn syntax) attribute of your own.

Pierangelo.

-- 
Dr. Pierangelo Masarati               | voice: +39 02 2399 8309
Dip. Ing. Aerospaziale                | fax:   +39 02 2399 8334
Politecnico di Milano                 | mailto:masarati@aero.polimi.it
via La Masa 34, 20156 Milano, Italy   |
http://www.aero.polimi.it/~masarati