[389-users] dynamic group expansion: summarizing ;)

Roberto Polli rpolli at babel.it
Wed Jul 28 09:48:18 UTC 2010 

On Tuesday 01 June 2010 20:38:48 Nathan Kinder wrote:
> On 05/31/2010 02:05 AM, Roberto Polli wrote:
> > Hi all,
> >
> > I'll try to summarize:
> > 1 - we like dynamic group expansion (memberURL is an ldap URI)
> > 2 - ldapsearch -b GROUPDN "uniqueMember=*" retrieves both static and
> > dynamic members
> >    2.1- the forementioned search should retrieve nested group members too
> > 3 - (wish) memberOf plugin should dynamically set the memberOf attribute
> > in underlying entries
> >    3.1 * if memberOf is a virtual attribute, it's impossible to use it in
> > Searches (eg this won't work #ldapsearch "memberof=GROUPDN" )
> >    3.2 * memberOf should be "real"
> >    3.3 * we need a listener on each Update to
> >      3.3.1 * rescan all groups
> >      3.3.2 * update the memberOf attribute
> 
> There are likely some things you can do here to optimize for updates.
> One idea would be to maintain an in-memory cache of dynamic group
> filters that are present.  You would have to scan for these groups at
> server startup to populate the cache and maintain it whenever a group
> filter is modified/added/deleted.
> 
> When an entry is updated, you can use the group filter cache to quickly
> determine if a change to an entry affects it's group membership instead
> of searching for all of the groups each time.
> 
> There may be better ideas than the above, but the cache idea was just a
> quick thought that may help.
added https://bugzilla.redhat.com/show_bug.cgi?id=618988 maybe better move 
discussion there or in the wiki.

Let me know+Peace,
R:

-- 

Roberto Polli
Babel S.r.l. - http://www.babel.it
Tel. +39.06.91801075 - fax +39.06.91612446
Tel. cel +39.340.6522736
P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma)

"Il seguente messaggio contiene informazioni riservate. Qualora questo 
messaggio fosse da Voi ricevuto per errore, Vogliate cortesemente darcene 
notizia a mezzo e-mail. Vi sollecitiamo altresì a distruggere il messaggio 
erroneamente ricevuto. Quanto precede Vi viene chiesto ai fini del rispetto 
della legge in materia di protezione dei dati personali."

More information about the 389-users mailing list