active-directoryldapopenldapsunoneactive-directory-group

LDAP: Is the memberOf/IsMemberOf attribute reliable for determining group membership: SunONE/ActiveDirectory / OpenLDAP


Context

We're adding group membership filtering when importing members from an LDAP server into our application.

(Previously we imported all members from a given ldap "base DN"; now administrators can restrict to certain groups, i.e. members "Sales" and "HR" in the base DN).

Our application supports:

Also, we plan to support static groups only, not dynamic groups.

How We Would Have Done It

In the past, we would use two lookups to replicate members into our database for this new functionality.

  1. lookup all members in the baseDN
  2. lookup all groups (with members) where group name is in the list (e.g. "Sales" or "HR"). Programmatically track via a Map "which users belong to which groups", i.e. using the "group member" attribute ("uniqueMember" in SunONE,"member" in ActiveDirectory)
  3. Intersect results of #1 and #2 to get 'members to import'

Can MemberOf/IsMemberOf Reduce queries and logic?

In briefish internet research, I found that SunONE and ActiveDirectory have an attribute (isMemberOf/memberOf) which identifies 'groups that this user belongs to'

In theory, we could simplify the above logic to one LDAP query:

  1. Look up all members in the baseDN who is a member of any of the groups

Can MemberOf/IsMemberOf Reduce queries and logic?

Know issues: - memberOf/isMemberOf only supports static groups - it does not support nested groups

Question

Reference

SunOne: http://docs.oracle.com/cd/E19575-01/820-2763/bcajq/index.html

Active Directory: http://msdn.microsoft.com/en-us/library/ms677943.aspx

Related SO questions: How to write LDAP query to test if user is member of a group?

memberOf vs. groupMembership in LDAP (Liferay)


Solution

  • Will this approach using memberOf/IsMemberOf work?
    

    It will work subject to the caveats.

    Any caveats?
    

    If it works the way the OpenLDAP implementation works, the memberOf attribute only works for entries made after it is enabled. It doesn't 'catch up'.

    What about OpenLDAP or other servers? do they all support such an attribute. (I see that OpenLDAP has memberOf "overlay", but an
    

    administrator must explicitly enable it)

    You can interrogate the root DN of any LDAP server to find out whether it supports the feature. You are correct about OpenLDAP's support of this.