> >> One application that I use wants groups to have a multivalued > >> attribute containing the DN of each of its members. Another one > >> (nss_ldap on FreeBSD) wants groups to have a multivalued attribute > >> containing the UID of of each of its members (POSIX-style groups). > > I am really curious on what is going on here. Sounds like that one > > program is badly designed if it tries to pull group info that way > > instead of from the OS. > It's a server in Java (written by the company that I work for), which > can't really pull that information from the OS. This isn't the only > application like this, other applications that I've tried to use with > LDAP (Drupal springs to mind) really want a multivalued attribute > containing the DN
Yes, I think "groupOfNames" is the best way to go. > >>3. It might also be possible to convince nss_ldap to > >> determine groups based on a different attribute than the memberuid. > >> Is it? Yes, very possible. In fact, it is directly supported. > 4. I'd like to have somehow have referential integrity (like > >> foreign keys in SQL) that ensures that a given member actually > >> exists on creation. Is that possible in OpenLDAP? > > 1: Does not sound possible in this case do to what sounds like crappy > > design of a program to stupid to properlly retrieve group info. > > 2: Not sure what you are asking. > I was asking whether these sorts of dynamic attributes are possible Yes it is possible, I think, I'm not certain how easily or directly. Checkout what OpenLDAP overlays exist. > > 3: AFAIK it is possible and easy. There should be a option for that > > in the config, but why? > > 4: Not on any LDAP server I am aware of. > OpenLDAP 3.2 has a "referential integrity overlay". I was more asking > whether this was normal or an obviously bad idea I don't know if it is "normal" but it is a good idea. That is why the overlay exists. > >> Having a weird or nonstandard LDAP schema seems like a bad > >> thing Yes, very. > >> I've read a number of LDAP-related articles and most seem to walk > >> me through setting up POSIX style groups, which may be the easiest > >> to set up but seems to be the hardest to use in real applications Yes. > >> outside of nss_ldap. Does the answer lie in the inetorgperson, > >> Cosine, or OpenLDAP schemas, or something similar? groupOfNames > > In most cases you will want POSIX groups. LDAP groups are largely > > for administrative purposes... for like assign read write permissions > > to stuff. If you have openldap installed, check out slapd.access(5). > POSIX groups are great when you're only using them to log in with > POSIX OSs. I don't know, this statement seems a little general to me. LDAP groups are used for all manner of things. > >> Is there a simple article that I can read that can tell me about > >> this stuff? It seems that most articles online assume that I'm an > >> LDAP guru or totally new to the idea of directory services, with no > >> in- between. Are there any recommendable books directed at this > >> intermediate level of skill? > > POSIX groups are cool. I also suggest using nss_ldap instead of > > having a application try to talk directly to > I agree, wherever possible :) Nah, I use nss_ldap; and nss_ldap is crap. Partly because the group interface in glibc/libc is crap. It creates a lot of large and pointless queries. > Maybe I'm misunderstanding something about my company's product and > its interaction with LDAP. I (fortunately) did not write that code, > so I'll look further and see if I'm correct about it insisting on an > attribute containing the DN
signature.asc
Description: This is a digitally signed message part
--- You are currently subscribed to ldap@umich.edu as: [EMAIL PROTECTED] To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the SUBJECT of the message.
