Maybe I¹m just being delusional in thinking that this should work... I¹m running OpenLDAP 2.4.23 on IBM AIX for authentication on a variety of AIX, Linux and web applications.
As we need to use both Posixgroup and groupOfNames objects with the same membership, the dynamic list overlay seems like an ideal approach. This configuration appeared to work fine for our linux hosts and web applications, but not so well for our AIX hosts:
In slapd.conf: overlay dynlist dynlist-attrset posixGroup labeledURI memberUid:uid
Ldap object: dn: cn=testgroup,cn=testgroup,ou=unix,ou=groups,ou=unix,st=or,c=us cn: testgroup objectClass: top objectClass: posixGroup objectClass: labeledURIObject gidNumber: 1000 labeledURI: ldap:///ou=unix,st=or,c=us?uid?sub?(memberof=cn=testgroup,ou=unix,ou=groups, ou=unix,st=or,c=us) memberUid: chogensen memberUid: jbagley
However, the AIX hosts do a search for (memberUid=jbagley)¹ to determine group membership and the ldap server does not return the above object. I¹m guessing that I was wrong in assuming the overlay would handle this type of application and that I will have to find another way. Anyone have any helpful tips? Advice? Condolences if I now have to manage twice as many group objects?
Thanks!
James Bagley Jr State of Oregon Data Center
Maybe I¹m just being delusional in thinking that this should work... I¹m running OpenLDAP 2.4.23 on IBM AIX for authentication on a variety of AIX, Linux and web applications.
As we need to use both Posixgroup and groupOfNames objects with the same membership, the dynamic list overlay seems like an ideal approach. This configuration appeared to work fine for our linux hosts and web applications, but not so well for our AIX hosts:
In slapd.conf: overlay dynlist dynlist-attrset posixGroup labeledURI memberUid:uid
Ldap object: dn: cn=testgroup,cn=testgroup,ou=unix,ou=groups,ou=unix,st=or,c=us cn: testgroup objectClass: top objectClass: posixGroup objectClass: labeledURIObject gidNumber: 1000 labeledURI: ldap:///ou=unix,st=or,c=us?uid?sub?(memberof=cn=testgroup,ou=unix,ou=groups, ou=unix,st=or,c=us) memberUid: chogensen memberUid: jbagley
However, the AIX hosts do a search for (memberUid=jbagley)¹ to determine group membership and the ldap server does not return the above object. I¹m guessing that I was wrong in assuming the overlay would handle this type of application and that I will have to find another way. Anyone have any helpful tips? Advice? Condolences if I now have to manage twice as many group objects?
Dynamic groups expanded by dynlist cannot be searched by filtering on dynamic members. You may want to look at autogroup (in contrib/slapd-modules/autogroup/), which works according to a totally different logic.
p.
openldap-technical@openldap.org
-
James Bagley Jr -
masarati@aero.polimi.it