Hi! On Mon, Mar 8, 2010 at 4:49 PM, Cody Burleson <[email protected]> wrote: > The memberOf attribute is actually common to several LDAP servers, although > the attribute goes by a different name in each. It is available in AD, IBM'd > LDAP server, Novell eDirectory, and others. > This is a very important feature because it allows users to announce > membership to applications at login and from a performance perspective, it > can make a huge difference. Instead of searching all groups to determine > whether or not a user has membership, applications can simply check the > memberOf attribute. WebSphere Portal, for example, recommends this approach > for improving login times when configuring the portal server to authenticate > against LDAP.
As most LDAP servers perform well when searching in a container or subtree, this feature may gain some performance when trying to iterate all the group memberships of an user object. On the other hand, it may reduce server performance on some more complex setups like distributed databases and will add payload to searches w/o specific attribute lists. As long as it is optional and configurable (eg constrain calculation to specific container, objectClass and membership attribute), it may help in some setups and be convenient for a lot of applications. Regards, Linus
