Context
We're adding group membership filtering when importing members from an LDAP server into our application.
(Previously we imported all members from a given ldap "base DN"; now administrators can restrict to certain groups, i.e. members "Sales" and "HR" in the base DN).
Our application supports:
SunONE
Active Directory
Also, we plan to support static groups only, not dynamic groups.
How We Would Have Done It
In the past, we would use two lookups to replicate members into our database for this new functionality.
- lookup all members in the baseDN
- lookup all groups (with members) where group name is in the list (e.g. "Sales" or "HR"). Programmatically track via a Map "which users belong to which groups", i.e. using the "group member" attribute ("uniqueMember" in SunONE,"member" in ActiveDirectory)
- Intersect results of #1 and #2 to get 'members to import'
Can MemberOf/IsMemberOf Reduce queries and logic?
In briefish internet research, I found that SunONE and ActiveDirectory have an attribute (isMemberOf/memberOf) which identifies 'groups that this user belongs to'
In theory, we could simplify the above logic to one LDAP query:
- Look up all members in the baseDN who is a member of any of the groups
Can MemberOf/IsMemberOf Reduce queries and logic?
Know issues: - memberOf/isMemberOf only supports static groups - it does not support nested groups
Question
- Will this approach using memberOf/IsMemberOf work?
- Any caveats?
- What about OpenLDAP or other servers? do they all support such an attribute. (I see that OpenLDAP has memberOf "overlay", but an administrator must explicitly enable it)
Reference
SunOne: http://docs.oracle.com/cd/E19575-01/820-2763/bcajq/index.html
Active Directory: http://msdn.microsoft.com/en-us/library/ms677943.aspx
Related SO questions: How to write LDAP query to test if user is member of a group?
memberOf vs. groupMembership in LDAP (Liferay)