8 Sep
2016
8 Sep
'16
1:22 a.m.
Hi,
We usually maintain both the posixGroup and groupOfNames in two separate subtrees. They have the same members, but each of them is using its own way to list the members. Our MidPoint is a great tool that can do that quite easily. It can make sure that both groups are created/deleted, that user is member of both groups, it can manage sequence of gidNumbers ... and much more. But any decent IDM should work as well. I strongly recommend this approach. You will need something to manage the directory content in the long run anyway. IDM systems are designed to do that.
--
Radovan Semancik
Software Architect
evolveum.com
On 09/08/2016 04:52 AM, Ryan Tandy wrote:
> On Wed, Sep 07, 2016 at 11:10:30PM +0200, MegaBrutal wrote:
>> I also figured that memberOf would need groupOfNames groups, while I
>> need posixGroup type groups. I evaluated the possibility to use
>> groupOfNames, but it lacks the necessary gidNumber attribute which is
>> a requirement for Unix groups.
>
> This is the key issue.
>
> A draft schema known as "rfc2307bis" exists, which replaces (!) the
> published RFC2037 schema with one compatible with groupOfNames.
>
> A published solution to this problem does not currently exist. In the
> past year there have been some discussions on the ldapext list. You
> can find the archives of that list at:
>
> https://www.ietf.org/mailman/listinfo/ldapext
>