--On Thursday, December 30, 2021 4:08 PM +0100 Stefan Kania stefan@kania-online.de wrote:
Hi to all,
two years ago I tried to use dynamic groups as Posix-groups see post: https://www.openldap.net/lists/openldap-technical/201911/msg00028.html
Now I tried it again with OpenLDAP 2.6 and the attribute memberUID is still not showing up. Is it still not possible to search for memberUid?
@Quanah You wrote: There's work to change this behavior (See ITS#9121) for OpenLDAP 2.5.
Is the work on it still in progress?
LDAP groups are defined by DNs, which are unambiguous. memberUID values are ambiguous and not usuable for defining LDAP groups.
There are 3 different objectClasses you can trivially use for defining groups in LDAP:
groupOfNames (uses member attribute, from core.schema) groupOfUniqueNames (uses uniqueMember attribute, from core.schema) groupfOfMembers (Uses member attribute, from rfc2307bis.schema)
In general, "memberUID" is for use with posix groups (NOT LDAP groups). But again, it's generally deficient since it cannot discern between two different entries with the same UID. I.e.:
dn: uid=joe,ou=employees,dc=example,dc=com uid: joe
dn: uid=joe,ou=students,dc=example,dc=com uid: joe
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com