Hi
I've shifted through the mailinglist archive in search of an answear to how
one combines posixAccount with posixGroup for filtering, with the memberof
overlay. The only answear I found, was that it wasn't possible. What I've
tried was adding:
overlay memberof
memberof-group-oc posixGroup
memberof-member-ad memberUid
Which doesn't work. I get the following error message:
/etc/openldap2.4/slapd.conf: line 173: member attribute="memberUid" must
either have DN (1.3.6.1.4.1.1466.115.121.1.12) or nameUID
(1.3.6.1.4.1.1466.115.121.1.34) syntax.
According to earlier mailinglist posts, memberUid can't be used with
memberof. The other solution that crossed my mind was adding a
member-attribute in the posixGroup which is linked with the posixAccount
dn, whenever I add a memberUid to the group. Although I haven't tested it
yet, as my schema-fu is limited.
This seems like the wrong approach though. What I want to do is using a
ldap query filter to check if a posixAccount is member of a group with the
same name as the server. Ie: retreiving all valid accounts for that
particular server with
(&(objectClass=posixAccount)(memberof=cn=servername,ou=group,dc=base)).
This is with standard ldap on AIX as the client and openldap 2.4.18 as the
server. Linux clients and hp-ux clients also connect to this ldap-server
though, so the options regarding layout of the tree is limited.
So may questions to you, dear internett mailinglist heroes, is:
* Is there an easy way to combine posixAccount with posixGroup?
* Is the hard way feasiable if not?
* Are some of you using some better way of managing logins on aix with a
ldap-server shared with operating system logins?
--
Kristian Berg