Alceu Rodrigues de Freitas Junior wrote:
I guess I failed to express myself properly.
I do know memberOf is not a requirement: regular exporting data from /etc/passwd, /etc/shadow and /etc/group as LDIF files are working as expected.
But wouldn't it be a better option to use it instead of handling data in multiple places (users and groups) instead of just the groups entries in the tree?
The PAM/NSS functions for interacting with LDAP already know how to efficiently check membership of a user in a group, without using memberOf attribute.
To check if a user is a member of a specific group, one merely needs to do an LDAP Compare on the group, against member:<user>. To see all members of a group, one just needs to retrieve the group entry.
The memberOf attribute has zero relevance here.
At least this is my understanding regarding the usefulness of memberOf. Not sure either if that would become a performance issue.
Em 20/08/2022 19:02, Howard Chu escreveu:
You don't need memberOf to maintain /etc/group info in LDAP.