Is there an LDAP standard group membership attribute for users?
By the standards, only the member attribute on the group (as used by Microsoft Active Directory) can be "counted" on.
RFC 4519 section 2.17 states: "The 'member' attribute type contains the distinguished names of objects that are on a list or in a group. Each name is one value of this multi-valued attribute."
The memberOF (used by Microsoft Active Directory) and groupMberShip (used by eDirectory) are implementation specific attribute added to the user.
The memberOF (used by Microsoft Active Directory) attribute is controlled by the server and is not modifiable. (flagged as Read Only from LDAP and System-Only in MS speak)
-jim
tftd
Updated on June 06, 2022Comments
-
tftd almost 2 years
I'm currently working on an application which uses LDAP as an authentication method. I was wondering if the
LDAP
protocol has a standard membership attribute which would hold the user's group? So farmemberOf
is working inOpenLDAP
andActive Direcotry
but not inApache DS
. I couldn't find this attribute in the RFCs so I'm kind of confused. Should I be using thememberOf
attribute or I need to go the old fashion way traversing over all of the groups to find which group has themember
?-
user207421 about 10 years'memberOf' is an operational attribute so you won't find it in RFCs. OpenLDAP only has it if you configure it.
-
tftd about 10 yearsThank you for clearing this! Are there any other "workarounds" except traversing? I would like to avoid it, if possible.
-
Ashigore about 10 years@tftd memberOf only holds groups that the user is directly a member of anyway, not groups they are a member of via other group members.
-