Good afternoon,
I am working to migrate my LDAP setup to openldap, however I have run into a problem around group membership.
Specifically my old instance of ldap used the attribute "groupMembership" and I need to support this moving forward, so if you were to query the attribute "groupMembership" it needs to return the groups the user is part of.
Currently in my test environment I have the memberof overlay working, and I found the option
*memberof-memberof-ad*
which should allow me to create a custom attribute named "groupMembership" and point the overlay at that attribute. I am really hoping to avoid this though and would much rather have a cleaner solution. Maybe some type of interface that just acts as a pointer to the memberof attribute when they query groupMembership? But I am not familiar enough with openldap to know whether this is even possible.
So I guess my question is; is the custom attribute going to be the solution here or is there another tool that I am unaware of?
I would migrate the schema too. Seems to be the correct thing to do...
Nick
On Mon, Nov 1, 2021 at 12:15 PM Keith LeValley klevalley2@davenport.edu wrote:
Good afternoon,
I am working to migrate my LDAP setup to openldap, however I have run into a problem around group membership.
Specifically my old instance of ldap used the attribute "groupMembership" and I need to support this moving forward, so if you were to query the attribute "groupMembership" it needs to return the groups the user is part of.
Currently in my test environment I have the memberof overlay working, and I found the option
*memberof-memberof-ad*
which should allow me to create a custom attribute named "groupMembership" and point the overlay at that attribute. I am really hoping to avoid this though and would much rather have a cleaner solution. Maybe some type of interface that just acts as a pointer to the memberof attribute when they query groupMembership? But I am not familiar enough with openldap to know whether this is even possible.
So I guess my question is; is the custom attribute going to be the solution here or is there another tool that I am unaware of?
-- Keith LeValley Identity Services Architect, Davenport University phone: (616) 732-1102 klevalley2@davenport.edu
--On Monday, November 1, 2021 11:53 AM -0400 Keith LeValley klevalley2@davenport.edu wrote:
Good afternoon,
I am working to migrate my LDAP setup to openldap, however I have run into a problem around group membership.
Specifically my old instance of ldap used the attribute "groupMembership" and I need to support this moving forward, so if you were to query the attribute "groupMembership" it needs to return the groups the user is part of.
Currently in my test environment I have the memberof overlay working, and I found the option
memberof-memberof-ad
The memberof Overlay is deprecated and should not be used. Ensure you are using OpenLDAP 2.5 or later, and use the slapo-dynlist overlay to dynamically populate the attribute for you based on your existing LDAP groups. I would also look at fixing any application using "groupMembership" to use the common memberOf.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
openldap-technical@openldap.org
-
Keith LeValley -
Nick Folino -
Quanah Gibson-Mount