directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Seelmann <>
Subject Re: memberOf attribute
Date Mon, 08 Mar 2010 21:48:33 GMT
I'd suggest you create a feature request in Jira [1] and you all can
vote on that feature request.

I think it can be implemented by a new interceptor and there are
differnt implementation strategies:

- The attribute can be added dynamically to search results. In that case
the interceptor needs to perform an additional search to find all groups
the user is member of and add the resulting group DNs to the search
result entry. This approach has impact to the search performance.

- The interceptor can modify the user entries whenever a group's member
attribute is modified. This approach has impact to write performance.

Of course you all are invited to implement such an interceptor.

Kind Regards,


Cody Burleson wrote:
> The memberOf attribute is actually common to several LDAP servers, although
> the attribute goes by a different name in each. It is available in AD, IBM'd
> LDAP server, Novell eDirectory, and others.
> This is a very important feature because it allows users to announce
> membership to applications at login and from a performance perspective, it
> can make a huge difference. Instead of searching all groups to determine
> whether or not a user has membership, applications can simply check the
> memberOf attribute. WebSphere Portal, for example, recommends this approach
> for improving login times when configuring the portal server to authenticate
> against LDAP.
> Please consider this a vote in favor of the feature.
> Cody Burleson
> Burleson Technology Group
> Mobile: (214) 537-8783
> Skype: codyburleson
> On Mon, Mar 8, 2010 at 8:51 AM, Martin Schuster (IFKL IT OS DSM CD) <
>> wrote:
>> Linus van Geuns wrote:
>>> [...]
>>> I guess, your web app was designed for M$ Active Directory, as it
>>> stores group memberships in the groups object AND in the users object
>>> using 'memberOf' attribute.
>>> Standard LDAP only stores group membership in the group objects.
>>> [...]
>> I'm working with a SunDS (modified Novell LDAP server afaik), and it
>> also has this feature, i.e. if you have a group
>> dn: cn=goodguys,dc=example,dc=com
>> uniqueMember: uid=superman,ou=people,dc=example,dc=com
>> then the entry for this user will automatically have a correct
>> "isMemberOf" attribute
>> dn: uid=superman,ou=people,dc=example,dc=com
>> isMemberOf: cn=goodguys,dc=example,dc=com
>> If ApacheDS doesn't have this feature, it would be nice to have :)
>> br,
>> --
>> Infineon Technologies IT-Services GmbH
>> Lakeside B05, 9020 Klagenfurt, Austria   Martin Schuster
>>         FB: LG Klagenfurt, FN 246787y   +43 5 1777 3517

View raw message