On 9/1/10 1:47 PM, Michael Ströder wrote: > David Hawes wrote: >> On 8/30/10 12:45 PM, Daniel Bower wrote: >>> You are correct, the directory structure does not follow that >>> particular convention. >>> >>> I'm guessing that whatever tool you use to manage users in ldap would >>> also have to ensure that data stays synched between the two trees, or >>> else you'd quickly have a mess on your hands. I'll check into it, >>> thanks for the tip. >> >> We have replication processes that ensure the data stays synced between >> the two branches. >> >> Assuming you are using OpenLDAP, you could use the dynlist overlay to >> automatically search the group branch and populate a member attribute >> when a person is returned: > > Since LdapPersonAttributeDao expects to perform a single query for attributes > on the user entry(!) one would need OpenLDAP overlay slapo-memberof.
slapo-dynlist would allow a single client query on the user entry to return the group membership. I've tested it. It works. slapo-memberof is another good option, and may actually be easier to set up (you don't have to keep a URI on a person entry to query groups). -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
