directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tony Thompson" <Tony.Thomp...@stone-ware.com>
Subject RE: V1.0.1 schema
Date Fri, 30 Mar 2007 20:27:15 GMT
I wasn't aware of that article but it looks like it has some good info
in it, thanks.

I wasn't really looking for the directory to keep both attributes in
sync.  My application already takes care of that for directories that
don't (Active Directory does it for you, eDirectory does not but has the
"groupMembership" attribute there for you, OpenLDAP does not keep the
two in sync nor does it have an attribute to use, apparently ApacheDS is
mostly like OpenLDAP).  For OpenLDAP I am using the search method to
determine group membership when needed.  For Active directory, I support
nested groups which requires me to devise the very clever search string.
Unfortunately, it is slow to have the directory perform that search all
the time even when you are using their Global Catalog.  Kinda makes
sense since it is like making SQL queries against a database without any
indexes.

My application has one big requirement that doesn't let me use the
search option.  I am taking advantage of the fact that ApacheDS does not
maintain referential integrity in DN type attributes.  So, the
"memberOf" attribute has group DNs of groups that don't even exist in
the Apache directory instance.  I typically consider this a deficiency
of the directory (seems to make sense that the directory would enforce
that) but in this one instance I actually need it to work that way.

So, it is sounding like my only option is to create my own schema
extension for "memberOf".

Tony

-----Original Message-----
From: Stefan Zoerner [mailto:stefan@labeo.de] 
Sent: Friday, March 30, 2007 3:33 PM
To: Apache Directory Developers List
Subject: Re: V1.0.1 schema

Tony Thompson wrote:
> Yeah, I am using that on the group side but I want to keep track of 
> the groups the user is in from the perspective of the user object.  
> So, something like this:
>  
> cn=MyGroup,dc=example,dc=org
>     member: cn=MyUser,dc=example,dc=org
>  
> cn=MyUser,dc=example,dc=org
>     memberOf: cn=MyGroup,dc=example,dc=org
>  
> Tony
> 

Hi Tony!

I know that Active Directory does something exactly like that. Most
directory servers I know don't. The information is redundant, and it is
not easy to keep both directions of the association consistent.

It seems to be an advantage to have the ability to perform a simple
lookup and know all the groups a user belongs to. But with clever filter
choice, you can determine direct group membership with a single search
op without an attribute on the user side. And for *all* groups a user
belongs to (directly or via groups within groups), you always need an
algorithm with several search ops -- even if you have both directions
stored.

I recommend this article, If you not already know it. It contains
descriptions of the algorithms.
http://middleware.internet2.edu/dir/groups/rpr-nmi-edit-mace_dir-groups_
best_practices-1.0.html

Greetings from Hamburg,
     Stefan
 
This message (and any associated files) is intended only for the 
use of the individual or entity to which it is addressed and may 
contain information that is confidential, subject to copyright or
constitutes a trade secret. If you are not the intended recipient 
you are hereby notified that any dissemination, copying or 
distribution of this message, or files associated with this message, 
is strictly prohibited. If you have received this message in error, 
please notify us immediately by replying to the message and deleting 
it from your computer. Messages sent to and from Stoneware, Inc.
may be monitored.

Mime
View raw message