One application that I use wants groups to have a multivalued
attribute containing the DN of each of its members. Another one
(nss_ldap on FreeBSD) wants groups to have a multivalued attribute
containing the UID of of each of its members (POSIX-style groups).
I am really curious on what is going on here. Sounds like that one
program is badly designed if it tries to pull group info that way
instead of from the OS.
It's a server in Java (written by the company that I work for), which
can't really pull that information from the OS. This isn't the only
application like this, other applications that I've tried to use with
LDAP (Drupal springs to mind) really want a multivalued attribute
containing the DN
Yes, I think "groupOfNames" is the best way to go.
That's great to hear :) With what schema is this associated? Do I
need to include the Cosine or openldap schemas to use this attribute?
Or am I misunderstanding something about how including schemas works?
3. It might also be possible to convince nss_ldap to
determine groups based on a different attribute than the memberuid.
Is it?
Yes, very possible. In fact, it is directly supported.
Also great to hear. Can you point me to an article or example
configuration file?
4. I'd like to have somehow have referential integrity (like
foreign keys in SQL) that ensures that a given member actually
exists on creation. Is that possible in OpenLDAP?
1: Does not sound possible in this case do to what sounds like
crappy
design of a program to stupid to properlly retrieve group info.
2: Not sure what you are asking.
I was asking whether these sorts of dynamic attributes are possible
Yes it is possible, I think, I'm not certain how easily or directly.
Checkout what OpenLDAP overlays exist.
Sounds like it's not necessary though if I can convince my
application and nss_ldap to play together nicely
3: AFAIK it is possible and easy. There should be a option for that
in the config, but why?
4: Not on any LDAP server I am aware of.
OpenLDAP 3.2 has a "referential integrity overlay". I was more asking
whether this was normal or an obviously bad idea
I don't know if it is "normal" but it is a good idea. That is why the
overlay exists.
Okay, I'll definitely look into it. Somehow I sleep better at night
knowing that there's no stupid spelling errors :)
I've read a number of LDAP-related articles and most seem to walk
me through setting up POSIX style groups, which may be the easiest
to set up but seems to be the hardest to use in real applications
Yes.
I'm glad I'm not the only one with that feeling
outside of nss_ldap. Does the answer lie in the inetorgperson,
Cosine, or OpenLDAP schemas, or something similar?
groupOfNames
That's at least something to Google on :) Thanks
Maybe I'm misunderstanding something about my company's product and
its interaction with LDAP. I (fortunately) did not write that code,
so I'll look further and see if I'm correct about it insisting on an
attribute containing the DN
So after asking our LDAP developer, no, I'm not misunderstanding our
product, it really does want that attribute with DNs. It seems that
most LDAP implementations (he cited Domino and Active Directory)
provide that attribute. It does keep our product from working with
OpenDirectory and the default OpenLDAP schema, though
Thank you both (Adam and Vulpes) for your help and comments
---
You are currently subscribed to ldap@umich.edu as: [EMAIL PROTECTED]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the
SUBJECT of the message.
