I'd suggest you create a feature request in Jira [1] and you all can vote on that feature request.
I think it can be implemented by a new interceptor and there are differnt implementation strategies: - The attribute can be added dynamically to search results. In that case the interceptor needs to perform an additional search to find all groups the user is member of and add the resulting group DNs to the search result entry. This approach has impact to the search performance. - The interceptor can modify the user entries whenever a group's member attribute is modified. This approach has impact to write performance. Of course you all are invited to implement such an interceptor. Kind Regards, Stefan [1] https://issues.apache.org/jira/browse/DIRSERVER Cody Burleson wrote: > The memberOf attribute is actually common to several LDAP servers, although > the attribute goes by a different name in each. It is available in AD, IBM'd > LDAP server, Novell eDirectory, and others. > > This is a very important feature because it allows users to announce > membership to applications at login and from a performance perspective, it > can make a huge difference. Instead of searching all groups to determine > whether or not a user has membership, applications can simply check the > memberOf attribute. WebSphere Portal, for example, recommends this approach > for improving login times when configuring the portal server to authenticate > against LDAP. > > Please consider this a vote in favor of the feature. > > Cody Burleson > Burleson Technology Group > Mobile: (214) 537-8783 > Skype: codyburleson > > > On Mon, Mar 8, 2010 at 8:51 AM, Martin Schuster (IFKL IT OS DSM CD) < > [email protected]> wrote: > >> Linus van Geuns wrote: >>> [...] >>> I guess, your web app was designed for M$ Active Directory, as it >>> stores group memberships in the groups object AND in the users object >>> using 'memberOf' attribute. >>> >>> Standard LDAP only stores group membership in the group objects. >>> [...] >> I'm working with a SunDS (modified Novell LDAP server afaik), and it >> also has this feature, i.e. if you have a group >> >> dn: cn=goodguys,dc=example,dc=com >> uniqueMember: uid=superman,ou=people,dc=example,dc=com >> >> then the entry for this user will automatically have a correct >> "isMemberOf" attribute >> >> dn: uid=superman,ou=people,dc=example,dc=com >> isMemberOf: cn=goodguys,dc=example,dc=com >> >> If ApacheDS doesn't have this feature, it would be nice to have :) >> >> br, >> -- >> Infineon Technologies IT-Services GmbH [email protected] >> Lakeside B05, 9020 Klagenfurt, Austria Martin Schuster >> FB: LG Klagenfurt, FN 246787y +43 5 1777 3517 >> >
