LDAP2010/memberOf
Entities (people, organizations, etc.) can belong to groups. Any given instance of membership relates one entity to one group. There are two ways to look at a given membership:
- Entity E is a member of Group G, or
- Group G has Entity E as one of its members.
Highlighted end of the association |
Name of directional association |
Multiplicity |
Definition |
Entity |
isMemberOf |
0..* |
The entity at one end of the association is a member of the group at the other end |
Group |
hasMember |
0..* |
The group at one end of the association has the entity at the other end as one of its members |
LDAPGroups backends could be implemented with using of only 'hasMember' relation. But in this case, Group.iter and Backend._retrieve_members will send a query per each user in group, since in LDAP we can't get records of users belongs to the group in one request without using isMemberOf, we can get only their distinguished names.
Common implementations in LDAP services
- Most of OpenLDAP installations using only 'hasMember' relationship.
- Microsoft Active Directory using both
- RHDS (389 Directory Server) support both
MoinMoin implementation
LDAPGroups has optional support of memberOf attribute to improve the performance of retrieving a list of group members.
Testing memberOf
Since there is no standart schema in OpenLDAP, that defines isMemberOf kind of relationship, then we can't to test it without adding our own scheme (we can just get one from http://middleware.internet2.edu/dir/docs/internet2-mace-dir-ldap-group-membership-200507.html, for example). But until we do so, we need to do its testing manually.