Considerations for group lookup

• As an attribute of the user object

  Each user object has an attribute called GROUP_LOOKUP_ATTRIBUTE that you can query to retrieve all of the group membership for that user.

• As an attribute of the group object

  Each group object has an attribute, also called GROUP_LOOKUP_ATTRIBUTE, that you can use to list all the user objects that are members of the group. You can enumerate the groups for a particular user by searching for all groups that list the user object as a member.

When configuring the LDAP plug-in modules, you can use the GROUP_LOOKUP_METHOD parameter to specify how group lookup should be performed:

• If you need to use the GROUP_LOOKUP_ATTRIBUTE attribute of the user object to find group membership, set GROUP_LOOKUP_METHOD = USER_ATTRIBUTE
• If you need to use the GROUP_LOOKUP_ATTRIBUTE attribute of the group object to find group membership, set GROUP_LOOKUP_METHOD = SEARCH_BY_DN

Many LDAP servers use the GROUP_LOOKUP_ATTRIBUTE attribute of the group object to determine membership. They can be configured as shown in this example:

GROUP_LOOKUP_METHOD = SEARCH_BY_DN
GROUP_LOOKUP_ATTRIBUTE = groupOfNames

Microsoft Active Directory typically stores group membership as a user attribute, and could be configured as shown in this example:

GROUP_LOOKUP_METHOD = USER_ATTRIBUTE
GROUP_LOOKUP_ATTRIBUTE = memberOf

The IBM® Tivoli® Directory Server supports both methods at the same time. To query the group membership for a user you can make use of the special user attribute ibm-allGroups, as shown in this example:

GROUP_LOOKUP_METHOD = USER_ATTRIBUTE
GROUP_LOOKUP_ATTRIBUTE = ibm-allGroups