dominoAccessGroups operational attribute

Use of dominoAccessGroups can improve performance, as its use requires one LDAP request/response, regardless of the number of groups and nested groups to which the object belongs. The Domino® LDAP server can take advantage of the existing group cache (for names lists).

If dominoAccessGroups is used, other LDAP client applications need not perform recursive searches, thereby reducing application complexity.

An LDAP client should determine whether the LDAP server serves up dominoAccessGroups by querying the root DSE's ibm-enabledCapabilities attribute and checking whether the OID for dominoAccessGroups, 2.16.840.1.113678.2.2.2.2.1355, is supported.

[C:\] ldapsearch -h hostname -s base "(objectclass=*)" ibm-enabledCapabilities

ibm-enabledcapabilities=2.16.840.1.113678.2.2.2.2.1354

ibm-enabledcapabilities=2.16.840.1.113678.2.2.2.2.1355

For more information on the ibm-ibm-enabledCapabilities attribute, see LDAP root DSE attributes.

While overall computation of group membership is faster with dominoAccessGroups, it is possible that the single search now exceeds the LDAP timeout previously used by each of the multiple nested group searches. If you discover that your searches that return dominoAccessGroups are timing out, increase the LDAP Timeout value in the Default Configuration Document for the Domino domain.