MemberOf is usage is dependent on the LDAP Server Implementation but is a known to be used in Microsoft Active Directory A Virtual Attribute Microsoft Active Directory # PeoplePlatform is an identity management solution that has intelligent defaults but lets administrators make choices without themselves having to get into the messy details.MemberOf is an LDAP AttributeType where the value is the DN of an LDAP Entry is the Group that the current LDAP Entry is a member in a Group and is referred to as a Forward Reference. Such a system should let administrators who do care about them make informed choices based on their needs. A good identity management solution will pick smart defaults for administrators who don’t know or care about these details. Sometimes when dealing with LDAP directory solutions and Active Directory specifically there aren’t solutions where one choice perfectly satisfies all situations. This solution will not get you primary group membership nor will it work across domains. This method can be used with ADSI: (v=vs.85).aspx or with : . It only takes two queries: one to get the group, and the other to get its members. In the case of group membership, it’s a way of doing a kind of “join” on the “member” property of a particular group to get all the details and properties of its members that you want. This latter solution has the drawback of also perhaps being slow.
(This is the simple case there could be several degrees of separation.) For this you need: (|(memberof:1.2.840.113556.:=CN=TheGroup, DC=Domain,DC=com)(primarygroupid=GroupRID)) where the GroupRID is the last four of the group’s SID. You will not get transitive group membership where users are members because they belong to a group which itself is a member of that group. This won’t get you users whose primary group is the group in question. Because you use “memberOf” you’re getting the users you need not doing any particular expensive queries. This option is better than #1 and #2 from a performance perspective. Use a query on all users with a “memberOf” filter as: (&(objectCategory=Person)(memberof=CN=TheGroup, DC=Domain,DC=com)).Other solutions have pros and cons from a completeness, simplicity, and performance perspective: This option again does the job but so many queries are impractical and too slow with larger groups. Enumerate the group to get a list of Distinguished Names in the “member” attribute then do a sub-query (lookup) on each user DN to find their other attribute(s).
This option works OK but in practice querying all users in your directory is too expensive and slow.
Two solutions are of the more brute force type which give complete solutions but poor performance. What are our options for doing this? Fetch Active Directory Group Members Complete Solution, but Poor Performance This would get us more user attributes for display. We would like to query the “member” attribute and join these results with the user objects. Active Directory is Not a Relational DatabaseĪctive Directory isn’t a relational database and this is one place where one would wish that it acted like one. There isn’t a solution which will meet every need all the time. (Not only their distinguished name which wouldn’t be very friendly or their CN which isn’t always useful.) The techniques about how best to do this are discussed in this article. PeopleUpdate, part of Web Active Directory’s PeoplePlatform, gives administrators the power to configure user display by any of their attributes (for example their email address) when users are perusing or editing members of a group. Querying the “member” attribute of a group in Active Directory or other LDAP directories returns the user’s distinguished name.
0 kommentar(er)
