I wasn't aware of that article but it looks like it has some good info in it, thanks.
I wasn't really looking for the directory to keep both attributes in sync. My application already takes care of that for directories that don't (Active Directory does it for you, eDirectory does not but has the "groupMembership" attribute there for you, OpenLDAP does not keep the two in sync nor does it have an attribute to use, apparently ApacheDS is mostly like OpenLDAP). For OpenLDAP I am using the search method to determine group membership when needed. For Active directory, I support nested groups which requires me to devise the very clever search string. Unfortunately, it is slow to have the directory perform that search all the time even when you are using their Global Catalog. Kinda makes sense since it is like making SQL queries against a database without any indexes. My application has one big requirement that doesn't let me use the search option. I am taking advantage of the fact that ApacheDS does not maintain referential integrity in DN type attributes. So, the "memberOf" attribute has group DNs of groups that don't even exist in the Apache directory instance. I typically consider this a deficiency of the directory (seems to make sense that the directory would enforce that) but in this one instance I actually need it to work that way. So, it is sounding like my only option is to create my own schema extension for "memberOf". Tony -----Original Message----- From: Stefan Zoerner [mailto:[EMAIL PROTECTED] Sent: Friday, March 30, 2007 3:33 PM To: Apache Directory Developers List Subject: Re: V1.0.1 schema Tony Thompson wrote: > Yeah, I am using that on the group side but I want to keep track of > the groups the user is in from the perspective of the user object. > So, something like this: > > cn=MyGroup,dc=example,dc=org > member: cn=MyUser,dc=example,dc=org > > cn=MyUser,dc=example,dc=org > memberOf: cn=MyGroup,dc=example,dc=org > > Tony > Hi Tony! I know that Active Directory does something exactly like that. Most directory servers I know don't. The information is redundant, and it is not easy to keep both directions of the association consistent. It seems to be an advantage to have the ability to perform a simple lookup and know all the groups a user belongs to. But with clever filter choice, you can determine direct group membership with a single search op without an attribute on the user side. And for *all* groups a user belongs to (directly or via groups within groups), you always need an algorithm with several search ops -- even if you have both directions stored. I recommend this article, If you not already know it. It contains descriptions of the algorithms. http://middleware.internet2.edu/dir/groups/rpr-nmi-edit-mace_dir-groups_ best_practices-1.0.html Greetings from Hamburg, Stefan This message (and any associated files) is intended only for the use of the individual or entity to which it is addressed and may contain information that is confidential, subject to copyright or constitutes a trade secret. If you are not the intended recipient you are hereby notified that any dissemination, copying or distribution of this message, or files associated with this message, is strictly prohibited. If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer. Messages sent to and from Stoneware, Inc. may be monitored.
