posixGroup and groupofNames

List overview All Threads
Download

newer

older

overlay chain and TLS/SSL

Re: Check password module/ppolicy...

Siddhartha Jain

25 Feb 2010 25 Feb '10

5:55 p.m.

Hi,

Running CentOS 5.4 with stock OpenLDAP distro 2.3.43. Both classes, posixgroup and groupofnames are structural causing conflicts if one wants to use both. And while RFC2307bis is deleted by IETF, RFC2307 doesn't seem to have the same traction (or, does it)? So, what's a good option? Simply switch posixgroup to AUX in /etc/openldap/schema/nis.schema?

Thanks,

Siddhartha

Show replies by date

Dieter Kluenter

25 Feb 25 Feb

11:38 p.m.

Siddhartha Jain sjain@silverspringnet.com writes:

...

Hi,

Running CentOS 5.4 with stock OpenLDAP distro 2.3.43. Both classes, posixgroup and groupofnames are structural causing conflicts if one wants to use both. And while RFC2307bis is deleted by IETF, RFC2307 doesn't seem to have the same traction (or, does it)? So, what's a good option? Simply switch posixgroup to AUX in /etc/openldap/schema/nis.schema?

Both object classes follow different concepts. Object class groupOfNames requires a member attribute type:

member: cn=foo bar,ou=people,dc=example,dc=conm

while posixgroup requires memberUid attribute type:

memberUid: foo

-Dieter

-- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:8EF7B6C6 53°37'09,95"N 10°08'02,42"E

Jonathan Clarke

26 Feb 26 Feb

12:44 a.m.

On 26/02/2010 08:38, Dieter Kluenter wrote:

...

Siddhartha Jainsjain@silverspringnet.com writes:

...
Hi,

Running CentOS 5.4 with stock OpenLDAP distro 2.3.43. Both classes, posixgroup and groupofnames are structural causing conflicts if one wants to use both. And while RFC2307bis is deleted by IETF, RFC2307 doesn't seem to have the same traction (or, does it)? So, what's a good option? Simply switch posixgroup to AUX in /etc/openldap/schema/nis.schema?

Both object classes follow different concepts. Object class groupOfNames requires a member attribute type:

member: cn=foo bar,ou=people,dc=example,dc=conm

while posixgroup requires memberUid attribute type:

memberUid: foo

You should probably check what your applications need.

Alternatively, if you really need both, you can use a dynamic group to provide similar behavior, see slapo-dynlist(5). This would in effect mean you have 2 groups: one listing members, and another one, dynamically filled from the contents of the first.

Regards, Jonathan

-- -------------------------------------------------------------- Jonathan Clarke - jonathan@phillipoux.net -------------------------------------------------------------- Ldap Synchronization Connector (LSC) - http://lsc-project.org --------------------------------------------------------------

5559

Age (days ago)

5559

Last active (days ago)

openldap-technical@openldap.org

2 comments

3 participants

tags (0)

participants (3)

Dieter Kluenter
Jonathan Clarke
Siddhartha Jain