On Mon, 2007-03-12 at 12:23 -0700, David King wrote: > >>>> One application that I use wants groups to have a multivalued > >>>> attribute containing the DN of each of its members. Another one > >>>> (nss_ldap on FreeBSD) wants groups to have a multivalued attribute > >>>> containing the UID of of each of its members (POSIX-style groups). > >>> I am really curious on what is going on here. Sounds like that one > >>> program is badly designed if it tries to pull group info that way > >>> instead of from the OS. > >> It's a server in Java (written by the company that I work for), which > >> can't really pull that information from the OS. This isn't the only > >> application like this, other applications that I've tried to use with > >> LDAP (Drupal springs to mind) really want a multivalued attribute > >> containing the DN > > Yes, I think "groupOfNames" is the best way to go. > That's great to hear :) With what schema is this associated? Do I > need to include the Cosine or openldap schemas to use this attribute? > Or am I misunderstanding something about how including schemas works?
Cosine provides the groupOfNames objectclass. > >>>> 3. It might also be possible to convince nss_ldap to > >>>> determine groups based on a different attribute than the memberuid. > >>>> Is it? > > Yes, very possible. In fact, it is directly supported. > Also great to hear. Can you point me to an article or example > configuration file? RFC2307BIS, examples should be in your distro's default /etc/ldap.conf file. Support has been around for a long time. > >>>> I've read a number of LDAP-related articles and most seem to walk > >>>> me through setting up POSIX style groups, which may be the easiest > >>>> to set up but seems to be the hardest to use in real applications > > Yes. > I'm glad I'm not the only one with that feeling There must be a hundred LDAP101ish howtos explaining how to setup PAM/NSS (usually badly); that shouldn't be taken to mean it is a fantastic idea. > >>>> outside of nss_ldap. Does the answer lie in the inetorgperson, > >>>> Cosine, or OpenLDAP schemas, or something similar? > > groupOfNames > That's at least something to Google on :) Thanks > >> Maybe I'm misunderstanding something about my company's product and > >> its interaction with LDAP. I (fortunately) did not write that code, > >> so I'll look further and see if I'm correct about it insisting on an > >> attribute containing the DN > So after asking our LDAP developer, no, I'm not misunderstanding our > product, it really does want that attribute with DNs. It seems that > most LDAP implementations (he cited Domino and Active Directory) > provide that attribute. It does keep our product from working with > OpenDirectory and the default OpenLDAP schema, though > Thank you both (Adam and Vulpes) for your help and comments Why, both of these provide "groupOfNames/member" by default.
signature.asc
Description: This is a digitally signed message part
--- You are currently subscribed to ldap@umich.edu as: [EMAIL PROTECTED] To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the SUBJECT of the message.
