directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Linus van Geuns <>
Subject Re: memberOf attribute
Date Tue, 09 Mar 2010 04:30:40 GMT

On Mon, Mar 8, 2010 at 4:49 PM, Cody Burleson <> wrote:
> The memberOf attribute is actually common to several LDAP servers, although
> the attribute goes by a different name in each. It is available in AD, IBM'd
> LDAP server, Novell eDirectory, and others.
> This is a very important feature because it allows users to announce
> membership to applications at login and from a performance perspective, it
> can make a huge difference. Instead of searching all groups to determine
> whether or not a user has membership, applications can simply check the
> memberOf attribute. WebSphere Portal, for example, recommends this approach
> for improving login times when configuring the portal server to authenticate
> against LDAP.

As most LDAP servers perform well when searching in a container or
subtree, this feature may gain some performance when trying to iterate
all the group memberships of an user object. On the other hand, it may
reduce server performance on some more complex setups like distributed
databases and will add payload to searches w/o specific attribute

As long as it is optional and configurable (eg constrain calculation
to specific container, objectClass and membership attribute), it may
help in some setups and be convenient for a lot of applications.

Regards, Linus

View raw message