Re: Oracle OpenLDAP PPolicy ppolicy and the hierarchy
On Mon, 2013-12-23 at 22:52 +0100, Dieter Klünter wrote:
You use attribute type uniqueMember without any additional UID in
order
to enforce uniqueness. The syntax of uniqueMember attribute type is
Name and optional UID. But without any additional UID any sort of
uniqueness cannot be provided. Just use member attribute type for group
membership, unless you want to enforce a proper uniqueness.
Additionally, if you plan to use the contents of the tree as Unix users
and want to have reasonable performance for large trees, you should
either:
- use memberUid attributes
- user member or uniqueMember with user with uid in the DN
The reason for this is that whet you lookup group information the
information returned from a group should also include all the usernames
of the members.
Since you cannot do joins in LDAP, every group with member attributes
such as cn=Joe,ou=People,dc=... will require another lookup per member
to find the username (uid attribute).
--
-- arthur - arthur(a)arthurdejong.org - http://arthurdejong.org/ --
Attachments:
- signature.asc (application/pgp-signature — 836 bytes)