Arthur de Jong wrote:
On Wed, 2013-12-25 at 16:44 +0100, Michael Ströder wrote:
Furthermore there's slapo-deref which seems to work. The client control can be used to retrieve all the 'uid' values in member entries. The NSS provider has to extract the 'uid' values from the response control value.
Sadly, the Internet Draft expired without turning into an RFC.
Like many other expired Internet drafts we use (e.g. draft-behera-ldap-password-policy in the context of the thread).
I also can't find any documentation on slapo-deref, do you have any pointers?
There's no official documentation yet. Simply build and enable the overlay and try yourself.
Also, do you have any idea whether this is implemented by a significant part of the LDAP servers out there (is it worth the effort to implement this client-side)?
It works with OpenLDAP servers. AFAICS sssd has client code using it.
There is also a memberof overlay that populates memberOf attributes in users. Would it be difficult to make a memberuid overlay that populates memberUid attributes in the group?
Of course you can implement a slapo-memberuid and a slapo-attrvalueref if you have enough spare time. There's also some experimental code in OpenLDAP's contrib/ to use posixGroup/memberUID in ACLs. But IMO there's absolutely no valid reason for wasting the time doing so.
Ciao, Michael.