Maybe I’m just being delusional in thinking that this should work... I’m running OpenLDAP 2.4.23 on IBM AIX for authentication on a variety of AIX, Linux and web applications.
As we need to use both Posixgroup and groupOfNames objects with the same membership, the dynamic list overlay seems like an ideal approach. This configuration appeared to work fine for our linux hosts and web applications, but not so well for our AIX hosts:
In slapd.conf:
overlay dynlist
dynlist-attrset posixGroup labeledURI memberUid:uid
Ldap object:
dn: cn=testgroup,cn=testgroup,ou=unix,ou=groups,ou=unix,st=or,c=us
cn: testgroup
objectClass: top
objectClass: posixGroup
objectClass: labeledURIObject
gidNumber: 1000
labeledURI: ldap:///ou=unix,st=or,c=us?uid?sub?(memberof=cn=testgroup,ou=unix,ou=groups,ou=unix,st=or,c=us)
memberUid: chogensen
memberUid: jbagley
However, the AIX hosts do a search for ‘(memberUid=jbagley)’ to determine group membership and the ldap server does not return the above object. I’m guessing that I was wrong in assuming the overlay would handle this type of application and that I will have to find another way. Anyone have any helpful tips? Advice? Condolences if I now have to manage twice as many group objects?
Thanks!
James Bagley Jr
State of Oregon Data Center