7:53 a.m.
Good afternoon,
I am working to migrate my LDAP setup to openldap, however I have run into
a problem around group membership.
Specifically my old instance of ldap used the attribute "groupMembership"
and I need to support this moving forward, so if you were to query the
attribute "groupMembership" it needs to return the groups the user is part
of.
Currently in my test environment I have the memberof overlay working, and I
found the option
*memberof-memberof-ad*
which should allow me to create a custom attribute named "groupMembership"
and point the overlay at that attribute. I am really hoping to avoid this
though and would much rather have a cleaner solution. Maybe some type of
interface that just acts as a pointer to the memberof attribute when they
query groupMembership? But I am not familiar enough with openldap to know
whether this is even possible.
So I guess my question is; is the custom attribute going to be the
solution here or is there another tool that I am unaware of?
--
Keith LeValley
Identity Services Architect, Davenport University
phone: (616) 732-1102
klevalley2(a)davenport.edu
9:44 a.m.
I would migrate the schema too. Seems to be the correct thing to do...
Nick
On Mon, Nov 1, 2021 at 12:15 PM Keith LeValley <klevalley2(a)davenport.edu>
wrote:
Good afternoon,
I am working to migrate my LDAP setup to openldap, however I have run into
a problem around group membership.
Specifically my old instance of ldap used the attribute "groupMembership"
and I need to support this moving forward, so if you were to query the
attribute "groupMembership" it needs to return the groups the user is part
of.
Currently in my test environment I have the memberof overlay working, and
I found the option
*memberof-memberof-ad*
which should allow me to create a custom attribute named "groupMembership"
and point the overlay at that attribute. I am really hoping to avoid this
though and would much rather have a cleaner solution. Maybe some type of
interface that just acts as a pointer to the memberof attribute when they
query groupMembership? But I am not familiar enough with openldap to know
whether this is even possible.
So I guess my question is; is the custom attribute going to be the
solution here or is there another tool that I am unaware of?
--
Keith LeValley
Identity Services Architect, Davenport University
phone: (616) 732-1102
klevalley2(a)davenport.edu
10:13 a.m.
--On Monday, November 1, 2021 11:53 AM -0400 Keith LeValley
<klevalley2(a)davenport.edu> wrote:
Good afternoon,
I am working to migrate my LDAP setup to openldap, however I have run
into a problem around group membership.
Specifically my old instance of ldap used the attribute "groupMembership"
and I need to support this moving forward, so if you were to query the
attribute "groupMembership" it needs to return the groups the user is
part of.
Currently in my test environment I have the memberof overlay working, and
I found the option
memberof-memberof-ad
The memberof Overlay is deprecated and should not be used. Ensure you are
using OpenLDAP 2.5 or later, and use the slapo-dynlist overlay to
dynamically populate the attribute for you based on your existing LDAP
groups. I would also look at fixing any application using
"groupMembership" to use the common memberOf.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
766
days inactive
766
days old
openldap-technical@openldap.org
2 comments
3 participants
participants (3)
-
Keith LeValley -
Nick Folino -
Quanah Gibson-Mount