--On Thursday, December 30, 2021 4:08 PM +0100 Stefan Kania
<[email protected]> wrote:
Hi to all,
two years ago I tried to use dynamic groups as Posix-groups see post:
https://www.openldap.net/lists/openldap-technical/201911/msg00028.html
Now I tried it again with OpenLDAP 2.6 and the attribute memberUID is
still not showing up. Is it still not possible to search for memberUid?
@Quanah You wrote:
There's work to change this behavior (See ITS#9121) for OpenLDAP 2.5.
Is the work on it still in progress?
LDAP groups are defined by DNs, which are unambiguous. memberUID values
are ambiguous and not usuable for defining LDAP groups.
There are 3 different objectClasses you can trivially use for defining
groups in LDAP:
groupOfNames (uses member attribute, from core.schema)
groupOfUniqueNames (uses uniqueMember attribute, from core.schema)
groupfOfMembers (Uses member attribute, from rfc2307bis.schema)
In general, "memberUID" is for use with posix groups (NOT LDAP groups).
But again, it's generally deficient since it cannot discern between two
different entries with the same UID. I.e.:
dn: uid=joe,ou=employees,dc=example,dc=com
uid: joe
dn: uid=joe,ou=students,dc=example,dc=com
uid: joe
Regards,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
