directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Zoerner <ste...@labeo.de>
Subject Re: V1.0.1 schema
Date Fri, 30 Mar 2007 19:32:49 GMT
Tony Thompson wrote:
> Yeah, I am using that on the group side but I want to keep track of the 
> groups the user is in from the perspective of the user object.  So, 
> something like this:
>  
> cn=MyGroup,dc=example,dc=org
>     member: cn=MyUser,dc=example,dc=org
>  
> cn=MyUser,dc=example,dc=org
>     memberOf: cn=MyGroup,dc=example,dc=org
>  
> Tony
> 

Hi Tony!

I know that Active Directory does something exactly like that. Most 
directory servers I know don't. The information is redundant, and it is 
not easy to keep both directions of the association consistent.

It seems to be an advantage to have the ability to perform a simple 
lookup and know all the groups a user belongs to. But with clever filter 
choice, you can determine direct group membership with a single search 
op without an attribute on the user side. And for *all* groups a user 
belongs to (directly or via groups within groups), you always need an 
algorithm with several search ops -- even if you have both directions 
stored.

I recommend this article, If you not already know it. It contains 
descriptions of the algorithms.
http://middleware.internet2.edu/dir/groups/rpr-nmi-edit-mace_dir-groups_best_practices-1.0.html

Greetings from Hamburg,
     Stefan




Mime
View raw message