directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Quanah Gibson-Mount <>
Subject Re: V1.0.1 schema
Date Fri, 30 Mar 2007 19:59:03 GMT

--On Friday, March 30, 2007 9:32 PM +0200 Stefan Zoerner <> 

> Tony Thompson wrote:
>> Yeah, I am using that on the group side but I want to keep track of the
>> groups the user is in from the perspective of the user object.  So,
>> something like this:
>> cn=MyGroup,dc=example,dc=org
>>     member: cn=MyUser,dc=example,dc=org
>> cn=MyUser,dc=example,dc=org
>>     memberOf: cn=MyGroup,dc=example,dc=org
>> Tony
> Hi Tony!
> I know that Active Directory does something exactly like that. Most
> directory servers I know don't. The information is redundant, and it is
> not easy to keep both directions of the association consistent.
> It seems to be an advantage to have the ability to perform a simple
> lookup and know all the groups a user belongs to. But with clever filter
> choice, you can determine direct group membership with a single search op
> without an attribute on the user side. And for *all* groups a user
> belongs to (directly or via groups within groups), you always need an
> algorithm with several search ops -- even if you have both directions
> stored.
> I recommend this article, If you not already know it. It contains
> descriptions of the algorithms.
> est_practices-1.0.html

Not necessarily.  If you use dynamic groups, you can have a single 
attribute on the user side that stores group membership, and then an 
evaluated URI in a group object that creates the group "on the fly".  It 
works very well.  Unfortunately, AD is broken in this area, and cannot use 
them for authorization (it can only use static groups).


Quanah Gibson-Mount
Senior Systems Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key:

View raw message