问题
Does using 1.2.840.113556.1.4.1941 terminate gracefully if there are cyclic dependencies in a dl (a -> b -> a situation)
回答1:
The LDAP_MATCHING_RULE_IN_CHAIN OID handles circular dependencies just fine. It won't choke on them.
For example, I recommended using this when determining if a user is a member of a group.
Consider if you have this setup:
Group AGroup B
Group BUser 1Group A
And you want to know if User 1 is a member of Group A. You would set the search base to Group A, and use this query:
(member:1.2.840.113556.1.4.1941:=CN=User 1,OU=Users,DC=example,DC=com)
The query would succeed (it won't choke on the circular groups) and you would get 1 result (Group A) indicating that yes, User 1 is a member of Group A. (If you got no results, it would mean that the user is not a member of the group)
You should never use a LDAP_MATCHING_RULE_IN_CHAIN condition without either limiting the search base or using other conditions (like matching a specific account), otherwise you will end up with a very inefficient query that will take forever to run because it has to look at the entire membership chain for every object that exists.
来源:https://stackoverflow.com/questions/57965487/is-it-safe-to-use-1-2-840-113556-1-4-1941-implementation-in-case-of-cyclic-depen