directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Cody Burleson <>
Subject Re: memberOf attribute
Date Mon, 08 Mar 2010 15:49:40 GMT
The memberOf attribute is actually common to several LDAP servers, although
the attribute goes by a different name in each. It is available in AD, IBM'd
LDAP server, Novell eDirectory, and others.

This is a very important feature because it allows users to announce
membership to applications at login and from a performance perspective, it
can make a huge difference. Instead of searching all groups to determine
whether or not a user has membership, applications can simply check the
memberOf attribute. WebSphere Portal, for example, recommends this approach
for improving login times when configuring the portal server to authenticate
against LDAP.

Please consider this a vote in favor of the feature.

Cody Burleson
Burleson Technology Group
Mobile: (214) 537-8783
Skype: codyburleson

On Mon, Mar 8, 2010 at 8:51 AM, Martin Schuster (IFKL IT OS DSM CD) <> wrote:

> Linus van Geuns wrote:
> > [...]
> > I guess, your web app was designed for M$ Active Directory, as it
> > stores group memberships in the groups object AND in the users object
> > using 'memberOf' attribute.
> >
> > Standard LDAP only stores group membership in the group objects.
> > [...]
> I'm working with a SunDS (modified Novell LDAP server afaik), and it
> also has this feature, i.e. if you have a group
> dn: cn=goodguys,dc=example,dc=com
> uniqueMember: uid=superman,ou=people,dc=example,dc=com
> then the entry for this user will automatically have a correct
> "isMemberOf" attribute
> dn: uid=superman,ou=people,dc=example,dc=com
> isMemberOf: cn=goodguys,dc=example,dc=com
> If ApacheDS doesn't have this feature, it would be nice to have :)
> br,
> --
> Infineon Technologies IT-Services GmbH
> Lakeside B05, 9020 Klagenfurt, Austria   Martin Schuster
>         FB: LG Klagenfurt, FN 246787y   +43 5 1777 3517

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message