On 05/26/10 02:40 PM, Howard Chu wrote:
Ian Collins wrote:
Hello again,
My earlier thread appears to have been hijacked, so I'm starting a new
one for the summary of my investigations.
My current understanding is as follows:
There are three overlays that can use yes to manage groups dynamically:
dynlist, autogroup and memberof.
- dynlist works well for including members specified in a URL to the
result of a search on a group. The dynamic members can not be included
in a search filter.
- autogroup works well for including members specified in a URL to the
result of a search on a group. The dynamic members can be included in a
search filter, but the only supported list attribute is 'member', which
limits its use.
That's false, you can configure it to use any attribute type.
No according to the read me:
"The value <member-ad> is the name of the attributeDescription that
specifies the member attribute. User modification of this
attribute
is disabled for consistency."
I could only et it to work with 'member'. Even if I specified
'uniqueMember', 'member' was inserted.
However, uniqueMember is a broken attribute type and should not be
used by any LDAP software.
But it is and I'm stuck with supporting third party applications that
use it.
- memberof works well for reverse group management, including group dn
in the entries for group members. It only works with DN-values
attributes, so it can't be used with clients that expect POSIX group
members to be listed by 'memberUid' rather than 'member'.
POSIX group / memberUid is deprecated, no new LDAP clients should be
using it anyway.
But it is and I'm stuck with supporting old applications that use it.
uniqueMember and memberUid have been discussed at length on these
mailing lists before, so I won't elaborate again here. Search the
archives for context.
While I agree with the theory, it doesn't help when adding OpenLDAP into
an existing network.
--
Ian.
