Arthur de Jong wrote:
On Mon, 2013-12-23 at 22:52 +0100, Dieter Klünter wrote:
> You use attribute type uniqueMember without any additional UID in order
> to enforce uniqueness. The syntax of uniqueMember attribute type is
> Name and optional UID. But without any additional UID any sort of
> uniqueness cannot be provided. Just use member attribute type for group
> membership, unless you want to enforce a proper uniqueness.
Additionally, if you plan to use the contents of the tree as Unix users
and want to have reasonable performance for large trees, you should
- use memberUid attributes
- user member or uniqueMember with user with uid in the DN
I strongly disagree here.
1. memberUid does not allow to use the same group in OpenLDAP ACLs
Also it's not possible to use slapo-refint to check/update the reference.
Furthermore slapo-memberOf only works with DN-based attributes.
This old group scheme should die, die, die.
2. As explained many times on this list the LDAP syntax
22.214.171.124.4.1.14126.96.36.199.34 (Name And Optional UID) is seriously broken -
especially when adding the arbitrary UID part behind a DN with DirectoryString
syntax in top-level DN part.
The reason for this is that whet you lookup group information the
information returned from a group should also include all the usernames
of the members.
Since you cannot do joins in LDAP, every group with member attributes
such as cn=Joe,ou=People,dc=... will require another lookup per member
to find the username (uid attribute).
This very much depends on the implementation of the NSS provider. AFAIK sssd
simply searches all posixAccount and posixGroup entries and resolves group
membership internally from the local sssd cache database. If a NSS provider
does not support something similar it should be expanded to do so or one
should not use it at all.