Arthur de Jong wrote:
On Wed, 2013-12-25 at 16:44 +0100, Michael Ströder wrote:
> Furthermore there's slapo-deref which seems to work. The client
> control can be used to retrieve all the 'uid' values in member
> entries. The NSS provider has to extract the 'uid' values from the
> response control value.
>
> See
https://tools.ietf.org/html/draft-masarati-ldap-deref
Sadly, the Internet Draft expired without turning into an RFC.
Like many other expired Internet drafts we use (e.g.
draft-behera-ldap-password-policy in the context of the thread).
I also can't find any documentation on slapo-deref, do you have
any
pointers?
There's no official documentation yet. Simply build and enable the overlay and
try yourself.
Also, do you have any idea whether this is implemented by a
significant
part of the LDAP servers out there (is it worth the effort to implement
this client-side)?
It works with OpenLDAP servers. AFAICS sssd has client code using it.
There is also a memberof overlay that populates memberOf attributes
in
users. Would it be difficult to make a memberuid overlay that populates
memberUid attributes in the group?
Of course you can implement a slapo-memberuid and a slapo-attrvalueref if you
have enough spare time. There's also some experimental code in OpenLDAP's
contrib/ to use posixGroup/memberUID in ACLs. But IMO there's absolutely no
valid reason for wasting the time doing so.
Ciao, Michael.