Re: [Fedora-directory-devel] Re: Problems creating a Samba4 LDAP Backend

On 22/03/2008, at 10:17 AM, Andrew Morgan wrote: > On Sat, 22 Mar 2008, Luke Howard wrote: > >>>> To me, this says that the directory does an internal group >>>> search to >>>> generate the isMemberOf attribute on the fly. I believe this is >>>> the way >>>> Active Directory handles the memberOf attribute as well. >>> IIRC in AD memberOf is a linked attribute, stored permanently. >> >> >> From memory, AD stores the entry IDs of the link tuples in a >> separate table, so both "member" and "memberOf" are ostensibly >> generated on the fly. But this is really an implementation >> decision (although things do start to get interesting when dealing >> with references across partition boundaries). > > I noticed that the memberOf tab in AD Users and Computers does not > show group membership for groups that are not in the same domain as > the user. Access controls were still correctly applied though, so > those interfaces must be enumerating group membership some other way. Right, this is because it's expensive (I think they'll show such memberships if you query through the GC port [3268] but that requires you talk to a GC). When a non-GC KDC builds a PAC, it will contact a GC over RPC to complete the user's token (cf. IDL_DRSGetMemberships). -- Luke -- Fedora-directory-devel mailing list Fedora-directory-devel(a)redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-devel