On 1/3/22 20:13, Stefan Kania wrote:
That's why I build my own objectClass for possixAccount and PosixGroup: [..] olcObjectClasses: ( 1.3.6.1.4.1.56860.1.2.2 NAME 'stkaPosixAccount' DESC 'advanced PosixAccount for dynamic use' SUP posixAccount AUXILIARY MAY ( memberUID ) )
'memberUid' is RFC 2307 attribute in 'posixGroup' entries.
Not sure what semantics you want to define. But IMO the above does not make sense at all and you likely will run into funny effects with some LDAP clients which interpret these attributes in a certain way.
I can see the group with "getent groups" I use sssd on the client
This is rather unrelated to your original question. An NSS service (e.g. sssd) can do whatever it likes to build password and group maps.
Ciao, Michael.