On Feb 21, 2014, at 14.14, Jefferson Davis jdavis@standard.k12.ca.us wrote:
This has been beating me like a red-headed stepchild...
In the AD world, groupOfNames is expected (in combination with the member attribute, provides for reverse group resolution, ie users by group membership AND groups by member inclusion).
On the unix side of the fence, groups REQUIRE a gidNumber in order to resolve group membership, using posixGroup structural OC in conjunction with memberUID.
In attempting to future-proof our ldap services, and to accommodate the AD-Focused nature of commercial products, I'm attempting to get this to all work automatically, ie use the same group setup for both (probably naive and ill-advised?). But you CANNOT have multiple structural objectclasses in a single entry. So these requirements put group structures in direct opposition of one another.
Has anyone resolved this successfully, and if so, how? Overlays (which ones, examples)? Schema mods (examples?)
refer to draft-howard-rfc2307bis-02 [doc/drafts/draft-howard-rfc2307bis-xx.txt], which defines posixgroup as aux. use the schema defined in this document instead of nis.
-ben