--On Monday, June 6, 2022 7:06 PM +0200 Michael Ströder michael@stroeder.com wrote:
On 6/6/22 17:35, Quanah Gibson-Mount wrote:
--On Monday, June 6, 2022 5:19 PM +0200 Michael Ströder michael@stroeder.com wrote:
Like it or not, for strictly matching POSIX group names you *must* distinguish these values no matter what the LDAP matching rule says:
memberOf: cn=Foo,ou=1,dc=example,dc=com memberOf: cn=foo,ou=2,dc=example,dc=com
This is your personal interpretation based on focusing on the DN matching rule.
That is not an "interpretation". Those are literally two completely different entries as they exist in entirely different namespaces. The first is in ou=1, the second is in ou=2. This is a fundemantal concept of LDAP (regardless of whether or not underneath they could point to the same entry using back-relay or slapo-rwm or something). DN's are by definition unique and point to a singular unique object.
--Quanah