1

  1. Do all LDAP servers support this virtual attribute (by default)?

  2. I read that we have to enable this virtual attribute before using it. Is this how it works for all LDAP servers? Isn't this enabled by default?

  3. Are there any other drawbacks of using this to determine a user's group membership?

coder
  • 317
  • 1
  • 7
  • 20

1 Answers1

1
  1. No. OpenLDAP doesn't, for a start, unless you configure it specifically, using a non-default overlay.
  2. No.
  3. A virtual attribute implies a search every time it is evaluated. You might not want to pay the price.
user207421
  • 305,947
  • 44
  • 307
  • 483
  • Thank you very much. Few more questions cropped up in my mind - 1. Is OpenLDAP the only LDAP server which doesn't enable this attribute by default? 2. Is it the case that this attribute is not created all together and the user will have to create this and enable it? 3. It will be really helpful if you can explain the 'search' that happens. (Your answer for question 3) – coder Dec 19 '13 at 09:16
  • 1. I have no idea, but it doesn't seem likely that an expensive operation would be enabled by default. 2. I don't understand the question, a virtual attribute isn't created at all, it is configured. 3. It's *defined* by a search. You need to look up how to enable it on OpenLDAP: too broad to cover here. – user207421 Dec 19 '13 at 10:45
  • Okay. Thank you very much for your answers. I really wanted to know why using virtual attribute is an expensive operation. Will check google that out. – coder Dec 19 '13 at 11:36
  • Do you understand the difference between a lookup and a search in LDAP? – user207421 Dec 19 '13 at 21:54
  • No. A lookup() still uses an index, so probably O(log(N)), but the required attributes are right there in the lookup result. A search implies (1) a lookup of the base DN, (2) use of at least one more index, maybe more, depending on the search filter, and (3) all you get back is a DN, or several, on which you may then have to do comparisons, or further attribute retrievals. So lookup is almost certainly faster than a search. – user207421 Dec 22 '13 at 03:38