David Hawes wrote: > On 9/1/10 1:47 PM, Michael Ströder wrote: >> David Hawes wrote: >>> On 8/30/10 12:45 PM, Daniel Bower wrote: >>>> You are correct, the directory structure does not follow that >>>> particular convention. >>>> >>>> I'm guessing that whatever tool you use to manage users in ldap would >>>> also have to ensure that data stays synched between the two trees, or >>>> else you'd quickly have a mess on your hands. I'll check into it, >>>> thanks for the tip. >>> >>> We have replication processes that ensure the data stays synced between >>> the two branches. >>> >>> Assuming you are using OpenLDAP, you could use the dynlist overlay to >>> automatically search the group branch and populate a member attribute >>> when a person is returned: >> >> Since LdapPersonAttributeDao expects to perform a single query for attributes >> on the user entry(!) one would need OpenLDAP overlay slapo-memberof. > > slapo-dynlist would allow a single client query on the user entry to > return the group membership. I've tested it. It works.
There's no doubt it works when explicitly reading the entry's group membership attribute. But AFAIK the group membership is not searchable by the attribute populated by slapo-dynlist. > slapo-memberof is another good option, and may actually be easier to set > up (you don't have to keep a URI on a person entry to query groups). slapo-memberof simply maintains back-links to the groups a particular entry is member of. You can then search for (&(uid=%u)(memberOf=cn=mygroup 1,ou=People,dc=example,dc=com)) Ciao, Michael. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
