Good knowledge.
-----Original Message----- From: openldap-technical [mailto:openldap-technical-bounces@openldap.org] On Behalf Of Michael Ströder Sent: Tuesday, January 03, 2017 3:51 PM To: Ralf Mattes Cc: openldap-technical@openldap.org Subject: Re: ldapsearch filter question
Ralf Mattes wrote:
Furthermore - are you shure you want to search for groupofnames and not posixgroup? Group ID numbers are usually used with POSIX groups and since both posixgroup and groupoufnames are structural groups they can't mix. It's actually pretty unlikely that your server holds groupofnames with a numeric group id.
Note that there's RFC2307bis [1] which uses groupOfNames as STRUCTURAL object class and posixGroup as supplement AUXILIARY object class. Some NSS/LDAP clients can use this schema.
In Æ-DIR I use multiple inheritance for the 'aeGroup' [2] STRUCTURAL object class to combine groupOfEntries (which permits empty groups) and classic posixGroup for backward compability with NSS/LDAP clients which are only capable to use 'memberUID' as member attribute. Furthermore slapo-constraint ensures that attribute value sets of 'member' and 'memberUID' are in sync.
( 1.3.6.1.4.1.5427.1.389.100.6.1 NAME 'aeGroup' DESC 'AE-DIR: Group entry' SUP ( groupOfEntries $ posixGroup $ groupOfURLs $ aeObject ) STRUCTURAL MUST description MAY aeDept )
Multiple object class inheritance is not possible with all LDAP servers (e.g. not possible with 389-DS).
Ciao, Michael.
[1] https://tools.ietf.org/html/draft-howard-rfc2307bis#section-4
[2] https://www.ae-dir.com/docs.html#schema-oc-aeGroup
The information contained in this e-mail message may be privileged, confidential, and/or protected from disclosure. This e-mail message may contain protected health information (PHI); dissemination of PHI should comply with applicable federal and state laws. If you are not the intended recipient, or an authorized representative of the intended recipient, any further review, disclosure, use, dissemination, distribution, or copying of this message or any attachment (or the information contained therein) is strictly prohibited. If you think that you have received this e-mail message in error, please notify the sender by return e-mail and delete all references to it and its contents from your systems.