Le 19/03/15 00:50, Michael Perelman a écrit : > While using Apache LDAP java APIs, is there a way to check for group > membership during the binding process? Or is the only way to determine group > membership is by doing a regular lookup, and only after binding? The latter > approach may not work because the authenticated user may not have the access > rights to perform any lookups, thereby forcing the use of an LDAP > administrator. That means that its credentials need to be stored somewhere > outside the LDAP server in order for the client code to use its account for > the aforementioned lookup. What approach would you suggest? > I'm not sure what you want to do here. What is your "check for group membership" in LDPA terms ?
If you mean you want to look at the content of the 'member' attribute, then yes, a lookuo is the way. If you don't want to do that regularly, then using the persistentSearch contrl might be an option : you will be informed of any change done on this attribute. Obviously, you will depend on yoru LDAP server settings to have access to this attribute. If your server does not allow operations to be done without any binding (yes, you can do a search without doing any bind, this is allowed by the protocol, but most generally forbidden by some server configuration), then depending on the authorization, you might also have to pick the right user to complete such a lookup. All in all, it's really a server configuration problem...
