Ryan Tandy wrote:
On Wed, Sep 07, 2016 at 11:10:30PM +0200, MegaBrutal wrote:
I also figured that memberOf would need groupOfNames groups, while I need posixGroup type groups. I evaluated the possibility to use groupOfNames, but it lacks the necessary gidNumber attribute which is a requirement for Unix groups.
This is the key issue.
A draft schema known as "rfc2307bis" exists, which replaces (!) the published RFC2037 schema with one compatible with groupOfNames.
A published solution to this problem does not currently exist. In the past year there have been some discussions on the ldapext list. You can find the archives of that list at:
Yet another approach: ;-)
In Æ-DIR I've declared hybrid groups derived from posixGroup (RFC 2307) and groupOfEntries for empty groups (see [1]) to accommodate legacy components not capable of being configured to RFC2307bis:
# This allows mixed group schema # also "dynamic groups" based on groupOfURLs/memberURL objectclass ( ae-dir-oc:1 NAME 'aeGroup' X-ORIGIN 'AE-DIR' DESC 'AE-DIR: Group entry' STRUCTURAL SUP ( groupOfEntries $ posixGroup $ groupOfURLs $ aeObject ) MUST ( description ) )
Furthermore a constraint to ensure consistency of 'member' and 'memberUID':
constraint_attribute memberUID,member set "this/memberUID & this/member/uid" restrict="ldap:///ou=ae-dir??sub"
[1] https://tools.ietf.org/html/draft-findlay-ldap-groupofentries
Ciao, Michael.