Does using 1.2.840.113556.1.4.1941 terminate gracefully if there are cyclic dependencies in a dl (a -> b -> a situation)
Asked
Active
Viewed 1,622 times
1 Answers
2
The LDAP_MATCHING_RULE_IN_CHAIN OID handles circular dependencies just fine. It won't choke on them.
For example, I recommended using this when determining if a user is a member of a group.
Consider if you have this setup:
Group AGroup B
Group BUser 1Group A
And you want to know if User 1 is a member of Group A. You would set the search base to Group A, and use this query:
(member:1.2.840.113556.1.4.1941:=CN=User 1,OU=Users,DC=example,DC=com)
The query would succeed (it won't choke on the circular groups) and you would get 1 result (Group A) indicating that yes, User 1 is a member of Group A. (If you got no results, it would mean that the user is not a member of the group)
You should never use a LDAP_MATCHING_RULE_IN_CHAIN condition without either limiting the search base or using other conditions (like matching a specific account), otherwise you will end up with a very inefficient query that will take forever to run because it has to look at the entire membership chain for every object that exists.
Gabriel Luci
- 38,328
- 4
- 55
- 84