LDAP: Is the memberOf/IsMemberOf attribute reliable for determining group membership: SunONE/ActiveDirectory / OpenLDAP

荒凉一梦 提交于 2019-12-07 04:00:26
Will this approach using memberOf/IsMemberOf work?

It will work subject to the caveats.

Any caveats?

If it works the way the OpenLDAP implementation works, the memberOf attribute only works for entries made after it is enabled. It doesn't 'catch up'.

What about OpenLDAP or other servers? do they all support such an attribute. (I see that OpenLDAP has memberOf "overlay", but an

administrator must explicitly enable it)

You can interrogate the root DN of any LDAP server to find out whether it supports the feature. You are correct about OpenLDAP's support of this.

I can't speak to Sun ONE, but Active Directory does support the memberOf attribute from users, and you can query on it. The attribute is a multi valued attribute that contains the distinguishedName of the groups the user belongs to.

That said, you will have to query for the group by it's dn, and you can't use wildcard matching as a part of it. This does not natively support nested groups, but if you want, I would just add objectCategory to the query attributes and have a check for "if this member is another group, recur the lookup".

This all goes to hell if you have a loop in your group structure, but I'm pretty sure so does a lot of other things, and AD prevents you from doing that.

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!