Ian Collins wrote:
Hello again,
My earlier thread appears to have been hijacked, so I'm starting a new one for the summary of my investigations.
My current understanding is as follows:
There are three overlays that can use yes to manage groups dynamically: dynlist, autogroup and memberof.
- dynlist works well for including members specified in a URL to the
result of a search on a group. The dynamic members can not be included in a search filter.
- autogroup works well for including members specified in a URL to the
result of a search on a group. The dynamic members can be included in a search filter, but the only supported list attribute is 'member', which limits its use.
That's false, you can configure it to use any attribute type.
However, uniqueMember is a broken attribute type and should not be used by any LDAP software.
- memberof works well for reverse group management, including group dn
in the entries for group members. It only works with DN-values attributes, so it can't be used with clients that expect POSIX group members to be listed by 'memberUid' rather than 'member'.
POSIX group / memberUid is deprecated, no new LDAP clients should be using it anyway.
uniqueMember and memberUid have been discussed at length on these mailing lists before, so I won't elaborate again here. Search the archives for context.
From the above, I don't see a way to use OpenLDAP in an existing environment where dynamic groups are searched for by members and don't list their members with the 'member' attribute.