Hi
I've shifted through the mailinglist archive in search of an answear to how one combines posixAccount with posixGroup for filtering, with the memberof overlay. The only answear I found, was that it wasn't possible. What I've tried was adding: overlay memberof memberof-group-oc posixGroup memberof-member-ad memberUid
Which doesn't work. I get the following error message: /etc/openldap2.4/slapd.conf: line 173: member attribute="memberUid" must either have DN (1.3.6.1.4.1.1466.115.121.1.12) or nameUID (1.3.6.1.4.1.1466.115.121.1.34) syntax.
According to earlier mailinglist posts, memberUid can't be used with memberof. The other solution that crossed my mind was adding a member-attribute in the posixGroup which is linked with the posixAccount dn, whenever I add a memberUid to the group. Although I haven't tested it yet, as my schema-fu is limited.
This seems like the wrong approach though. What I want to do is using a ldap query filter to check if a posixAccount is member of a group with the same name as the server. Ie: retreiving all valid accounts for that particular server with (&(objectClass=posixAccount)(memberof=cn=servername,ou=group,dc=base)). This is with standard ldap on AIX as the client and openldap 2.4.18 as the server. Linux clients and hp-ux clients also connect to this ldap-server though, so the options regarding layout of the tree is limited.
So may questions to you, dear internett mailinglist heroes, is: * Is there an easy way to combine posixAccount with posixGroup? * Is the hard way feasiable if not? * Are some of you using some better way of managing logins on aix with a ldap-server shared with operating system logins?