Search code examples
active-directoryldapopenldap

Is there an LDAP standard group membership attribute for users?

I'm currently working on an application which uses LDAP as an authentication method. I was wondering if the LDAP protocol has a standard membership attribute which would hold the user's group? So far memberOf is working in OpenLDAP and Active Direcotry but not in Apache DS. I couldn't find this attribute in the RFCs so I'm kind of confused. Should I be using the memberOf attribute or I need to go the old fashion way traversing over all of the groups to find which group has the member?

Solution

  • By the standards, only the member attribute on the group (as used by Microsoft Active Directory) can be "counted" on.

    RFC 4519 section 2.17 states: "The 'member' attribute type contains the distinguished names of objects that are on a list or in a group. Each name is one value of this multi-valued attribute."

    The memberOF (used by Microsoft Active Directory) and groupMberShip (used by eDirectory) are implementation specific attribute added to the user.

    The memberOF (used by Microsoft Active Directory) attribute is controlled by the server and is not modifiable. (flagged as Read Only from LDAP and System-Only in MS speak)

    Beware of MemberOf

    Active Directory Groups, by default, only include MemberOf if they have a Group Scope of:

    • Universal Group and are in the same AD Forest as the user, or
    • Global Group and user are on the same AD DOMAIN (even if in the same AD Forest)
    • Domain Local Group only if user is from the same AD DOMAIN of the Domain Controller you are retrieving results from.
    • NOT include the user’s primary group (usually Domain Users)
    • NOT include Active Directory Groups on external trusted domains.

    -jim