Context
We're adding group membership filtering when importing members from an LDAP server into our application.
(Previously we imported all members from a given ldap "base DN"; now administrators can restrict to certain groups, i.e. members "Sales" and "HR" in the base DN).
Our application supports:
SunONE
Active Directory
Also, we plan to support static groups only, not dynamic groups.
How We Would Have Done It
In the past, we would use two lookups to replicate members into our database for this new functionality.
- lookup all members in the baseDN
- lookup all groups (with members) where group name is in the list (e.g. "Sales" or "HR"). Programmatically track via a Map "which users belong to which groups", i.e. using the "group member" attribute ("uniqueMember" in SunONE,"member" in ActiveDirectory)
- Intersect results of #1 and #2 to get 'members to import'
Can MemberOf/IsMemberOf Reduce queries and logic?
In briefish internet research, I found that SunONE and ActiveDirectory have an attribute (isMemberOf/memberOf) which identifies 'groups that this user belongs to'
In theory, we could simplify the above logic to one LDAP query:
- Look up all members in the baseDN who is a member of any of the groups
Can MemberOf/IsMemberOf Reduce queries and logic?
Know issues: - memberOf/isMemberOf only supports static groups - it does not support nested groups
Question
- Will this approach using memberOf/IsMemberOf work?
- Any caveats?
- What about OpenLDAP or other servers? do they all support such an attribute. (I see that OpenLDAP has memberOf "overlay", but an administrator must explicitly enable it)
Reference
SunOne: http://docs.oracle.com/cd/E19575-01/820-2763/bcajq/index.html
Active Directory: http://msdn.microsoft.com/en-us/library/ms677943.aspx
Related SO questions: How to write LDAP query to test if user is member of a group?
Will this approach using memberOf/IsMemberOf work?
It will work subject to the caveats.
Any caveats?
If it works the way the OpenLDAP implementation works, the memberOf attribute only works for entries made after it is enabled. It doesn't 'catch up'.
What about OpenLDAP or other servers? do they all support such an attribute. (I see that OpenLDAP has memberOf "overlay", but an
administrator must explicitly enable it)
You can interrogate the root DN of any LDAP server to find out whether it supports the feature. You are correct about OpenLDAP's support of this.
I can't speak to Sun ONE, but Active Directory does support the memberOf attribute from users, and you can query on it. The attribute is a multi valued attribute that contains the distinguishedName of the groups the user belongs to.
That said, you will have to query for the group by it's dn, and you can't use wildcard matching as a part of it. This does not natively support nested groups, but if you want, I would just add objectCategory to the query attributes and have a check for "if this member is another group, recur the lookup".
This all goes to hell if you have a loop in your group structure, but I'm pretty sure so does a lot of other things, and AD prevents you from doing that.
来源:https://stackoverflow.com/questions/9722889/ldap-is-the-memberof-ismemberof-attribute-reliable-for-determining-group-member