On 9/2/20 6:57 PM, Quanah Gibson-Mount wrote:
--On Wednesday, September 2, 2020 12:11 PM +0200 Olaf Hopp Olaf.Hopp@kit.edu wrote:
we are at the point of reorganising our LDAP. Currently we only have posixGroups, but in future we also want to support groupOfNames or groupOfUniqueNames My question what is the common sense of usage ? groupOfNames or groupOfUniqueNames ?
I know your answers, you will say "it depends on your applications" but currently I have no application using it. All my current applications use my posixGroups. I just want to extend my LDAP for future use cases.
I generally reocommend groupOfNames for LDAP groups, which is a different concept than *NIX posix groups.
In opposite to some other LDAP servers OpenLDAP's slapd support inheriting an object class from multiple parent classes.
This can be used to solve this problem with a hybrid group schema:
https://gitlab.com/ae-dir/ansible-ae-dir-server/-/blob/master/files/schema/a...
groupOfEntries is used to allow empty groups without members.
And of course you have to ensure that attributes 'member' and 'memberUid' are in sync.
Ciao, Michael.