Le 2015-11-20 08:19, Michael Ströder a écrit :
M. P. wrote:
> Reading the man page, I saw memberof-refint option. From what I
> when set to true, you can alter the user's "is member of" attribute
> and that
> would be reflected in the group's "member" attribute. Right ?
I read the man page differently: "memberof-refint true" preserves
integrity for the 'member' attribute if the member entry is renamed.
one would use slapo-refint for that.
=> IMO the text seems a bit ambigous.
Maybe it is because english is not my native language, but reading again
the man page, it was(is still ?) a little bit confusing for me.
But, based on your point of view, I changed my test actions and I have
to admit that it tends to your direction. Yes when I rename the user,
the dn of the user is changed in the group and when the user is deleted,
it is removed from the group. I agree with you, it seems very similar to
slapo-refint which I tested too.
I wonder now, if we have the choice between both of these overlays to do
the same think, is there one that should be prefered to the other ?
> But, the member attribute is an operational attribute and can't be
For correctness, I was talking about the memberOf atribute and not the
> So I started to search for an alternative and found the eduMember
> schema from
> here https://spaces.internet2.edu/display/macedir/OpenLDAP+eduMember
> added to the installation I could use it for objects. It adds
> isMemberOf and
> hasMember attributes that can be setable for users and groups. But
> can't make
> it work with memberof overlay. When trying to add isMemberOf as
> memberof-memberof-ad it was rejected with
Why do you want to change group membership by tweaking 'memberOf'
I want to permit a "two way" group membership management, something more
flexible. First by adding members to groups objects and the other way by
adding groups to users objects. I dont know if it is clear enough and if
it is doable like this. But I try.
that this would somewhat circumvent access control delegation on group
Sorry, I don't understand this part.
Hence you should always modify the group entries directly.
Yes I can do this, but for flexibility I'm looking for a way to alter
user entries and that would be reflected on group entries. For sure it
is scriptable, I know, but maybe there is a solution more integrated and
modifications written instantaneously.