Thanks for the input, Mourik.
The reason why I picked groupOfUniqueNames rather than groupOfNames was
because that is the preferred objectClass for Atlassian Crowd, which we are
intending to use for SSO, sitting on top of the LDAP store. I don't think
it makes a big difference as I ultimately seem to have other problems that,
at the moment, seem insurmountable.
It really doesn't seem to be possible in LDAP to have a group that serves
dual purposes - security and email. posixGroups, which can be used for
security, store members in a way that applications looking at LDAP for mail
groups can't understand. Flip that on its head and it means that
groupof(Unique)Names, which store members differently, cannot be used for
security purposes either.
Microsoft make life so much easier with Active Directory ... one checkbox
and a group serves both purposes :-).
I was really hoping that I didn't have to end up having duplicate groups -
a "security" version and an "email" version. I guess I could have a script
that goes through the groups keeping them in sync but then there is the
challenge of making sure that only one type gets edited and is therefore
treated as the master.
Regards
Philip
On 10 January 2013 10:44, mourik jan heupink <[email protected]> wrote:
> Hi Philip,
>
> I was facing the same dilemma: We have an existing posixGoup structure,
> which I wanted to 'reuse' for mailgroups. (as in: adding an email
> attribute 'upgrades' a posixGroup to a group-mail address)
>
> I also find it hard to believe the difficulties with an email attribute
> for a group. Seems such a simple and common need...?!
>
> Anyway: Ultimately I decided to create a second group structure,
> groupOfNames, and make that groupstructre for email only, and simply
> make the (internal) rule that ALL groupOfNames are always email group
> lists, in the form: [email protected].
>
> Your other option could be to use 'extensibleObjects' to be able to add
> an mail attribute to a groupOfNames or a posixGroup. However, this makes
> your groups non-standard, and perhaps the first option is better.
>
> Can I ask why you choose groupOfUniqueNames, instead of groupOfNames?
>
> Regards,
> Mourik Jan
>
> On 01/09/2013 12:22 PM, Philip Colmer wrote:
> > That's interesting ... the schema that Ubuntu ship with openLDAP says
> > that posixAccount is AUXILIARY but posixGroup is STRUCTURAL.
> >
> > Time to modify the schema :-).
> >
> > I still find it hard to believe, though, that there doesn't seem to be
> > an official schema for defining an email address to go with a group.
> > There seem to be various attempts at defining a schema but nothing seems
> > to be widely adopted or official.
> >
> > Regards
> >
> > Philip
> >
> >
> >
> > On 9 January 2013 11:03, Angel Bosch <[email protected]
> > <mailto:[email protected]>> wrote:
> >
> > they've been non-structural for some time:
> > http://osdir.com/ml/ldap.umich/2006-07/msg00015.html
> >
> > you can modify your schemas to make both work together. I do it all
> > the time.
> >
> >
> >
> ------------------------------------------------------------------------
> > *De: *"Philip Colmer" <[email protected]
> > <mailto:[email protected]>>
> > *A: *[email protected]
> > <mailto:[email protected]>
> > *Enviat: *Dimecres, 9 de Gener 9el 2013 11:55:43
> > *Assumpte: *Re: [Lam-public] Any suggestions for combining posix
> > groups with email groups?
> >
> >
> > Actually, it turns out that you can't combine posixGroup with
> > groupOfUniqueNames - they are both structural classes so you can
> > only have one of them.
> >
> > So I'm still stuck. Even if I wanted to just focus on the aspect of
> > sorting out how to define an email group, groupOfUniqueNames is
> > closest to that requirement but doesn't have an attribute for the
> > email address!
> >
> > Philip
> >
> >
> >
> > On 9 January 2013 09:16, Philip Colmer <[email protected]
> > <mailto:[email protected]>> wrote:
> >
> > Hi
> >
> > Apologies if this isn't directly relevant to LAM but I'm hoping
> > that the list audience will have come across a similar challenge
> > and may have some ideas or knowledge to share.
> >
> > I'm trying to use an LDAP store for both user authentication and
> > synchronisation to Google Apps. To that end, I want groups in
> > LDAP to serve two purposes: security groups and mailing lists -
> > preferably at the same time.
> >
> > I'm struggling, however, to decide what objectClasses are best
> > to use here. For example, using posixGroup allows me to specify
> > a gid, which means I can then use those groups in UNIX security
> > ACLs. However, for mailing lists, I ideally need two attributes:
> > the group owner (which I can get if I add the groupOfUniqueNames
> > class) and an email address for the list.
> >
> > Unfortunately, although I *can* combine posixGroup
> > and groupOfUniqueNames, they store the membership list in
> > different attributes. Ultimately, that isn't a huge issue
> > because I can tell the Google sync tool which attribute to read
> > for the membership, and Unix will always use the memberUid
> > attribute.
> >
> > Has anyone else tried to accomplish anything similar - or
> > remotely similar? If so, how did you approach it?
> >
> > From a LAM perspective (bringing the question back onto
> > topic!), are there any recommendations there that might
> > influence how I solve this?
> >
> > Many thanks.
> >
> > Philip
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript,
> jQuery
> > and much more. Keep your Java skills current with LearnJavaNow -
> > 200+ hours of step-by-step video tutorials by Java experts.
> > SALE $49.99 this month only -- learn more at:
> > http://p.sf.net/sfu/learnmore_122612
> > _______________________________________________
> > Lam-public mailing list
> > [email protected]
> > <mailto:[email protected]>
> > https://lists.sourceforge.net/lists/listinfo/lam-public
> >
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery
> > and much more. Keep your Java skills current with LearnJavaNow -
> > 200+ hours of step-by-step video tutorials by Java experts.
> > SALE $49.99 this month only -- learn more at:
> > http://p.sf.net/sfu/learnmore_122612
> >
> >
> >
> > _______________________________________________
> > Lam-public mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/lam-public
> >
>
>
> ------------------------------------------------------------------------------
> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
> MVPs and experts. ON SALE this month only -- learn more at:
> http://p.sf.net/sfu/learnmore_122712
> _______________________________________________
> Lam-public mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/lam-public
>
------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122712
_______________________________________________
Lam-public mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/lam-public
