PHP - LDAP - Fetching users' groups GUID, not name

Question

I am in the process of building a website for a company I work for. I would like to run some of it off the LDAP server that's already in use. Right now I have it linked for logging in and out, not much of an issue.

My next step, which has seemed to become more of a delay, is user groups and permissions. I would like to be able to get the groups a user is member of. Normally, this will just return the full string of the group, but I would prefer to have the GUID.

I know I can take the strings and query the server, then obtain the group GUID. This just seems to be more processing for the server.

I'd like to have this for logging in the database. If the name changes, the list of users don't. It would cause too many issues and store too much in the database if I went based off the full string rather than the GUID.

My other idea/option would be to search and cache all the GUIDs in a table, updating the names if they change. This way I'm not querying the LDAP server a munch for what I need, and can manage it all inside the same server. The servers are in the same network, but it's always fastest when running locally.

TL;DR Is there a way I can query the LDAP server and get the list of groups a user is in, returning the group GUID rather than its full name.

I'm still new to working with LDAP too, in case I'm missing anything.

Answer 1

I think it's overkill to make a local replication, openldap can carry out 22,000 queries / second or 4,800 update / second and can contain up to 150 million entries (Year 2006 benchmark).

It's the job of the LDAP to do this, and it does it generally well. Your local replication just involve latency when there is a user/group change, can be source of errors, while it does not bring significant improve.