[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: memberOf

To: openldap-software@OpenLDAP.org
Subject: Re: memberOf
From: Pavel Jbanov <pavel.jbanov@gmail.com>
Date: Fri, 23 Jun 2006 10:46:36 -0600
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:mime-version:to:subject:references:in-reply-to:content-type:content-transfer-encoding; b=fakNLKbVaH4hn/vZmqccb9N1eA9a5Tdo7INyPM0HXZBMggllFXeLpO/1TjoStK2QdnESDX7QwCWbzpit8aGB8qRpct+tdf6hZk6u8CTYv8N6+Zs8S6Tb0IVsPPsKTuWJik9Z7+B82RQVnoZWNx70MEWp3SuJu/hOUFld5Hd+6A0=
In-reply-to: <48855.131.175.154.56.1151079984.squirrel@131.175.154.56>
References: <449C0832.3030504@gmail.com> <48855.131.175.154.56.1151079984.squirrel@131.175.154.56>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051201 Thunderbird/1.5 Mnenhy/0.7.3.0

Pierangelo Masarati wrote:

"memberOf" is not part of any standard track schema definition, so it is
unlikely that OpenLDAP's slapd can handle it.  Moreover, as you're not
popupating the directory with values for the memberOf attribute, it is
very unlikely that you can find occurrences of it in the data.  The
directory acts according to the garbage-in garbage-out principle, only it
doesn't accept all types of garbage, it requires garbage to comply with
schema.

If you expect OpenLDAP slapd to implement some automatic update of
back-links to group membership you're on the wrong trail.  Applications
(in this case, those clients that feed the directory) are supposed to
maintain them.

There has been in the past some activity to implement that in an overlay,
so that it is the DSA itself, or rather an embedded client, that maintains
that type of consistency; that project hung on the lack of some design
issues and on the lack of atomicity in multiple write operations that
characterized slapd at that time.  I guess LDAP transactions under
development for HEAD should solve those isues.  You may try to implement
your own, or I could try and revitalize that project in my spare time
(which might be never based on my current availability of spare time...).

p.


Thank you for the reply.

I see what you're saying... I found some past discussions on this topic:
http://www.openldap.org/lists/openldap-software/200204/msg00756.html

I'm just trying to support one standard mechanism, but it appears that there is none... Active Directory does support 'dynamic' memberOf attribute which made me assume that it's some kind of a standard (I said that I'm very new to LDAP).

It looks like I'll have to implement two JAAS Login Modules for LDAP: one with and the other without dynamic memberOf support.

Thanks.

Pavel

Follow-Ups:
- Re: memberOf
  - From: ahasenack@terra.com.br

References:
- memberOf
  - From: Pavel Jbanov <pavel.jbanov@gmail.com>
- Re: memberOf
  - From: "Pierangelo Masarati" <ando@sys-net.it>

Prev by Date: Re: memberOf
Next by Date: Re: Is the openldap libldap library thread safe?
Index(es):
- Chronological
- Thread