Michael Ströder wrote:
On 8/21/22 16:51, Alceu Rodrigues de Freitas Junior wrote:
I do know memberOf is not a requirement: regular exporting data from /etc/passwd, /etc/shadow and /etc/group as LDIF files are working as expected.
But wouldn't it be a better option to use it instead of handling data in multiple places (users and groups) instead of just the groups entries in the tree?
At least this is my understanding regarding the usefulness of memberOf. Not sure either if that would become a performance issue.
Not sure I really understand what you're after but I give it a try:
With POSIX groups besides determining user's group membership you also have to read some POSIX group attributes like cn and gidNumber from the LDAP posixGroup entry.
Simple NSS clients can build the passwd and group maps by just reading all posixGroup and posixAccount entries at once (full enumeration).
This might not work in bigger environments with several ten thousand of also possibly very large groups. So some NSS clients allow to disable enumerating the whole maps and try to read data just when needed. In such a situation it can be useful to make use of memberOf attribute, e.g. when determining the group membership of a single user, to avoid having to read the full and possible very big group entries. Together with slapo-deref the NSS client can also read the group entries' POSIX attribute gidNumber referenced by user entry in one round-trip.
You can just search for all groups where member=<user>, returning no attributes, or returning only cn and gidNumber. Again, memberOf is not helpful here and no other extensions are needed.