--On Friday, March 30, 2007 9:32 PM +0200 Stefan Zoerner <[EMAIL PROTECTED]> wrote:
Tony Thompson wrote:Yeah, I am using that on the group side but I want to keep track of the groups the user is in from the perspective of the user object. So, something like this: cn=MyGroup,dc=example,dc=org member: cn=MyUser,dc=example,dc=org cn=MyUser,dc=example,dc=org memberOf: cn=MyGroup,dc=example,dc=org TonyHi Tony! I know that Active Directory does something exactly like that. Most directory servers I know don't. The information is redundant, and it is not easy to keep both directions of the association consistent. It seems to be an advantage to have the ability to perform a simple lookup and know all the groups a user belongs to. But with clever filter choice, you can determine direct group membership with a single search op without an attribute on the user side. And for *all* groups a user belongs to (directly or via groups within groups), you always need an algorithm with several search ops -- even if you have both directions stored. I recommend this article, If you not already know it. It contains descriptions of the algorithms. http://middleware.internet2.edu/dir/groups/rpr-nmi-edit-mace_dir-groups_b est_practices-1.0.html
Not necessarily. If you use dynamic groups, you can have a single attribute on the user side that stores group membership, and then an evaluated URI in a group object that creates the group "on the fly". It works very well. Unfortunately, AD is broken in this area, and cannot use them for authorization (it can only use static groups).
--Quanah -- Quanah Gibson-Mount Senior Systems Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
