Re: How to enable memberOf overlay with posixGroup?
Ryan Tandy wrote:
On Wed, Sep 07, 2016 at 11:10:30PM +0200, MegaBrutal wrote:
> I also figured that memberOf would need groupOfNames groups, while I need
> posixGroup type groups. I evaluated the possibility to use groupOfNames, but
> it lacks the necessary gidNumber attribute which is a requirement for Unix
> groups.
This is the key issue.
A draft schema known as "rfc2307bis" exists, which replaces (!) the published
RFC2037 schema with one compatible with groupOfNames.
A published solution to this problem does not currently exist. In the past year
there have been some discussions on the ldapext list. You can find the archives
of that list at:
https://www.ietf.org/mailman/listinfo/ldapext
Yet another approach: ;-)
In Æ-DIR I've declared hybrid groups derived from posixGroup (RFC 2307) and
groupOfEntries for empty groups (see [1]) to accommodate legacy components not
capable of being configured to RFC2307bis:
# This allows mixed group schema
# also "dynamic groups" based on groupOfURLs/memberURL
objectclass ( ae-dir-oc:1
NAME 'aeGroup'
X-ORIGIN 'AE-DIR'
DESC 'AE-DIR: Group entry'
STRUCTURAL
SUP ( groupOfEntries $ posixGroup $ groupOfURLs $ aeObject )
MUST ( description ) )
Furthermore a constraint to ensure consistency of 'member' and
'memberUID':
constraint_attribute memberUID,member
set "this/memberUID & this/member/uid"
restrict="ldap:///ou=ae-dir??sub"
[1] https://tools.ietf.org/html/draft-findlay-ldap-groupofentries
Ciao, Michael.
Attachments:
- smime.p7s (application/pkcs7-signature — 4.1 KB)