Le 2015-11-21 17:27, Michael Ströder a écrit :
M. P. wrote:
>> In this case slapo-refint's own modification is internal and
>> therefore
>> refint_nothing applys. But it does apply when the modification comes
>> from an
>> external LDAP client.
>
> Isn't there a "not" missing in the last sentence ?
Yes, should read "But it does not apply".
>> Thinking about the empty-groupOfNames-problem some more I consider to
>> define a
>> cn=dummy value to be always present in groupOfNames entries and apply
>> val-based ACLs to make it invisible and unremovable for normal
>> clients (even
>> the ones maintaining the groups).
>
> Yep, I thought about some trick like this. I thought also about the
> modification of the groupOfNames objectClass but this one does not
> have the
> preference of my manager :)
Yes, mucking around with standard schema descriptions is not the right
way.
You could use groupOfEntries which was exactly defined for that
purpose:
https://tools.ietf.org/html/draft-findlay-ldap-groupofentries
I was not aware of this one, yet I searched for alternatives. Thanks.
> I have to find now how to add automaticcally a user to a group. ;)
Whatever "automatically" means in your context...
I meant that at the creation of a groupOfNames, the placeholder would be
added without user interevention. With groupOfEntries, there is no need
anymore for that but for my knowledge, it will be interesting.
Ciao, Michael.
--
------------
M. P.