Browse Prior Art Database

LDAP Group Expansion Utility Java Component - Retrieve LDAP Group Member Attributes (Optionally Supports Nested Groups). Disclosure Number: IPCOM000032369D
Original Publication Date: 2004-Nov-03
Included in the Prior Art Database: 2004-Nov-03
Document File: 2 page(s) / 27K

Publishing Venue



LDAP Group Expansion Utility Java Component - Retrieve LDAP Group Member Attributes (Optionally Supports Nested Groups). The primary focus of this Disclosure is the abstraction of Directory groups, including but not limited to nested groups n layers deep and ones containing circular memberships, such that references to group members are automatically handled as if stored in-line, enabling direct retrieval of group member attributes.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 51% of the total text.

Page 1 of 2

LDAP Group Expansion Utility Java Component - Retrieve LDAP Group Member Attributes (Optionally Supports Nested Groups ).

Problem Solved

It is difficult and process-intensive to retrieve LDAP group member attribute values and usually involves writing a fair amount of code just to retrieve that data. Part of that difficulty is due to the way LDAP member data is stored in LDAP groups. Members of an LDAP group are listed by their dn ( Distinguished Name ) value under the multi-valued "member" attribute of an LDAP group. The problem with that is that the dn is merely a location reference for each group member and doesn't contain any real attribute values for each member. The dn value just specifies each member's location in the LDAP directory hierarchy (reading from right to left, with the right-most attribute/value pair being the root node of the hierarchy). Enables Developers writing LDAP-based applications to retrieve a specified set of LDAP group member attribute values (optionally supporting nested groups) via one simple method call instead of writing a bunch of code and doing a lot of testing to implement that functionality.

This is how a typical dn attribute for a group member would be stored in LDAP (one member per line) :

member cn=John Smith,ou=Software Group,o=ibm,c=us cn=John Doe,ou=Finance,o=ibm,c=us etc...

As you can see, these dn values don't give us any of the attribute values for each member. We can ascertain the cn or (Common Name) attribute value for each member from the dn string, but that's about it, and it's not isolated. In order to retrieve any of the other attribute values for each group member such as e-mail address, phone number, last name, etc..., we would need to somehow run a separate search for each member node and retrieve their attributes. However, an additional complexity is that LDAP servers don't always recognize a node's dn value as a valid search filter, so that requires even more processing. Typically, you have to run a search using a node's cn value or some other attribute contained within the node. The dn can sometimes appear to be simply a node location reference stored at a higher level than the other attributes. This can get even more complex if you want to retrieve group member attributes of nested groups (groups within a group ). Needless to say, this can be a very convoluted process for such a simple request for information on group members.


I wrote a Java class ( component ) that takes in an instance of DirContext ( component already bound/connec...