Tony Thompson wrote:
Yeah, I am using that on the group side but I want to keep track of the
groups the user is in from the perspective of the user object. So,
something like this:
cn=MyGroup,dc=example,dc=org
member: cn=MyUser,dc=example,dc=org
cn=MyUser,dc=example,dc=org
memberOf: cn=MyGroup,dc=example,dc=org
Tony
Hi Tony!
I know that Active Directory does something exactly like that. Most
directory servers I know don't. The information is redundant, and it is
not easy to keep both directions of the association consistent.
It seems to be an advantage to have the ability to perform a simple
lookup and know all the groups a user belongs to. But with clever filter
choice, you can determine direct group membership with a single search
op without an attribute on the user side. And for *all* groups a user
belongs to (directly or via groups within groups), you always need an
algorithm with several search ops -- even if you have both directions
stored.
I recommend this article, If you not already know it. It contains
descriptions of the algorithms.
http://middleware.internet2.edu/dir/groups/rpr-nmi-edit-mace_dir-groups_best_practices-1.0.html
Greetings from Hamburg,
Stefan
