Ball, Donald A Jr (Library) wrote:
>> There is an attribute called memberof which has a list of all 
>> the groups the user account belongs to.  You should be able 
>> to call memberof on your returned LDAP object and get an 
>> array with the groups in it.
> 
> That works great, thanks! A quick followup if you don't mind: if I'm
> trying to authenticate a user and see if she belongs to either of two
> groups, say, is it better to search twice against two different
> treebases and simply see if either returns a match, or search in the
> nearest common ancestor and check the memberof attribute?

Beware that if you encounter a group that has more than 1000 members,
Microsoft AD has a custom extension to the standard LDAP protocol to
handle paging. Basically you get an attribute returned that has an
extended name, and not all values. IIRC the extension is ";min-max"
where min and max are the index numbers of the first and last value
returned from the members array. You need then to repeat the query,
asking for a similarly-named attribute with larger min and max
numbers, until a query returns fewer than you asked for.

Clifford Heath.