Problems creating a Samba4 LDAP Backend

simo idra at
Sat Mar 22 04:01:11 GMT 2008

On Fri, 2008-03-21 at 16:17 -0700, Andrew Morgan wrote:
> On Sat, 22 Mar 2008, Luke Howard wrote:
> >>>>> 
> >>> To me, this says that the directory does an internal group search to
> >>> generate the isMemberOf attribute on the fly.  I believe this is the way
> >>> Active Directory handles the memberOf attribute as well.
> >> 
> >> IIRC in AD memberOf is a linked attribute, stored permanently.
> >
> >
> > From memory, AD stores the entry IDs of the link tuples in a separate table, 
> > so both "member" and "memberOf" are ostensibly generated on the fly. But this 
> > is really an implementation decision (although things do start to get 
> > interesting when dealing with references across partition boundaries).
> I noticed that the memberOf tab in AD Users and Computers does not show 
> group membership for groups that are not in the same domain as the user. 
> Access controls were still correctly applied though, so those interfaces 
> must be enumerating group membership some other way.

AD clients get user memberships from the PAC (the kerberos extension)
when the user authenticates. Windows clients never do LDAP calls to get
group membership of a user.

> I've always viewed the memberOf attribute as a convenient tool for human 
> use, but not something I would use programmatically.  All the benefits 
> provided by memberOf can be attained other ways by the LDAP client, 
> although the LDAP client may need to know more about the directory 
> structure to do it.

This is my point in using memberOf, less knowledge need to be put in the
client the better.


Simo Sorce
Samba Team GPL Compliance Officer <simo at>
Senior Software Engineer at Red Hat Inc. <ssorce at>

More information about the samba-technical mailing list