Hello:
We are running openldap 2.4.11. The "base" dn is "dc=foo,dc=com", under this, there are two organizationalunits "ou=people,dc=foo,dc=com" and "dc=groups,dc=foo,dc=com".
Entries under "groups" use objectclass groupOfNames. Entries under "people" use objectclass inetOrgPerson.
Each group entry has some "member" attributes, each of them "pointing" to one user dn. With this we have the "list of members that the group has".
Also we are using the "memberof" overlay (memberof.la) that automatically "inserts" "memberof" attributes to each user, so each user, has a list of memberof attributes (one for each group that the user belongs to).
At this point all is OK and working fine.
Now we need another overlay that "inserts" a new "text" attribute for each user called for example "groups" that contains a string with all the groups that the user belongs to. Note that we need to have this with only ONE attribute (NOT one attribute for each group that the user belongs to). For example: groups: g1,g2,g3
Not: groups: g1 groups: g2 groups: g3
It is possible? How?
Thanks a lot and best regards
We are running openldap 2.4.11. The "base" dn is "dc=foo,dc=com", under this, there are two organizationalunits "ou=people,dc=foo,dc=com" and "dc=groups,dc=foo,dc=com".
Entries under "groups" use objectclass groupOfNames. Entries under "people" use objectclass inetOrgPerson.
Each group entry has some "member" attributes, each of them "pointing" to one user dn. With this we have the "list of members that the group has".
Also we are using the "memberof" overlay (memberof.la) that automatically "inserts" "memberof" attributes to each user, so each user, has a list of memberof attributes (one for each group that the user belongs to).
At this point all is OK and working fine.
Now we need another overlay that "inserts" a new "text" attribute for each user called for example "groups" that contains a string with all the groups that the user belongs to. Note that we need to have this with only ONE attribute (NOT one attribute for each group that the user belongs to). For example: groups: g1,g2,g3
Not: groups: g1 groups: g2 groups: g3
It is possible?
Not with stock OpenLDAP. Also, this is an abuse of LDAP's data model.
How?
You can do this by implementing a custom overlay.
p.
openldap-technical@openldap.org