Aneela Saleem wrote:
I have used 'posixGroup' objectClass for creating groups, and 'posixAccount' object class for creating users, which uses 'gidNumber' property to associate to a specific group (created by posixGroup).
No! This is likeky a big misunderstanding.
The attribute 'gidNumber' in 'posixAccount' entry solely specifies the *primary* group of a POSIX user account (like in /etc/passwd).
When using traditional 'posixGroup' entries the multi-valued attribute contains 'memberUID' the usernames of the group members.
I have to sync LDAP users/groups in Apache Ranger, that uses 'groupOfNames' object class and 'member/memberof' property in user object. But in 'groupOfNames' objectClass we have to add members at the time of creation of group.
Is there any way that we can add members to already created groups later on?
Yes. With a LDAP modify operation.
Example as LDIF change record:
dn: cn=group 1,dc=example,dc=com changetype: modify add: member member: uid=user1,dc=example,dc=com -
Similar for removing group membership etc.
Ciao, Michael.