On 22/03/2008, at 10:17 AM, Andrew Morgan wrote:
On Sat, 22 Mar 2008, Luke Howard wrote:
To me, this says that the directory does an internal group search
to
generate the isMemberOf attribute on the fly. I believe this is
the way
Active Directory handles the memberOf attribute as well.
IIRC in AD memberOf is a linked attribute, stored permanently.
From memory, AD stores the entry IDs of the link tuples in a
separate table, so both "member" and "memberOf" are ostensibly
generated on the fly. But this is really an implementation decision
(although things do start to get interesting when dealing with
references across partition boundaries).
I noticed that the memberOf tab in AD Users and Computers does not
show group membership for groups that are not in the same domain as
the user. Access controls were still correctly applied though, so
those interfaces must be enumerating group membership some other way.
Right, this is because it's expensive (I think they'll show such
memberships if you query through the GC port [3268] but that requires
you talk to a GC).
When a non-GC KDC builds a PAC, it will contact a GC over RPC to
complete the user's token (cf. IDL_DRSGetMemberships).
-- Luke
--
Fedora-directory-devel mailing list
Fedora-directory-devel@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-devel
