> Maybe I¹m just being delusional in thinking that this should work... I¹m > running OpenLDAP 2.4.23 on IBM AIX for authentication on a variety of AIX, > Linux and web applications. > > As we need to use both Posixgroup and groupOfNames objects with the same > membership, the dynamic list overlay seems like an ideal approach. This > configuration appeared to work fine for our linux hosts and web > applications, but not so well for our AIX hosts: > > In slapd.conf: > overlay dynlist > dynlist-attrset posixGroup labeledURI memberUid:uid > > Ldap object: > dn: cn=testgroup,cn=testgroup,ou=unix,ou=groups,ou=unix,st=or,c=us > cn: testgroup > objectClass: top > objectClass: posixGroup > objectClass: labeledURIObject > gidNumber: 1000 > labeledURI: > ldap:///ou=unix,st=or,c=us?uid?sub?(memberof=cn=testgroup,ou=unix,ou=groups, > ou=unix,st=or,c=us) > memberUid: chogensen > memberUid: jbagley > > However, the AIX hosts do a search for (memberUid=jbagley)¹ to determine > group membership and the ldap server does not return the above object. > I¹m > guessing that I was wrong in assuming the overlay would handle this type > of > application and that I will have to find another way. Anyone have any > helpful tips? Advice? Condolences if I now have to manage twice as many > group objects?
Dynamic groups expanded by dynlist cannot be searched by filtering on dynamic members. You may want to look at autogroup (in contrib/slapd-modules/autogroup/), which works according to a totally different logic. p.
