Hi Nigel Jones, As part of incremental sync support for ranger, I was reading through MS AD documentation for memberof attribute. According to the documentation, it looks like memberof attribute value is not stored and is always computed on-fly from the member attribute of the group. In OpenLdap case, the memberof attribute is not enabled by default as part of the schema. It has to be enabled manually. As far as I know, openLdap doesn’t maintain the back-link between the memberof attribute of user and member/memberUid attribute of the group. It is up to the admin to create these values while adding/updating the users and groups. And the memberof attribute is stored in the schema and the value is retrieved as is without any computation from group member attribute.
Thanks, Sailaja. On 2/22/17, 8:00 AM, "Nigel Jones" <[email protected]> wrote: >On 22/02/2017 16:43, Nigel Jones wrote: > >> Will raise a JIRA.... > >I just came across RANGER-1211 ..... this talks about optimizing user >sync through an incremental approach. > >Can anyone help with a MS AD question > >The document implies that the memberOf attribute on a user is >*computed*, which would suggest it's ALWAYS possible to EFFICIENTLY >retrieve the list of users that are member of a known role (member >attribute against the group). Is this indeed the case? Only MD? How >about OpenLDAP ? > >If so my problem probably goes away....... > >Thanks > > >
