On Feb 21, 2014, at 14.14, Jefferson Davis <[email protected]> wrote:
> This has been beating me like a red-headed stepchild... > > In the AD world, groupOfNames is expected (in combination with the member > attribute, provides for reverse group resolution, ie users by group > membership AND groups by member inclusion). > > On the unix side of the fence, groups REQUIRE a gidNumber in order to resolve > group membership, using posixGroup structural OC in conjunction with > memberUID. > > In attempting to future-proof our ldap services, and to accommodate the > AD-Focused nature of commercial products, I'm attempting to get this to all > work automatically, ie use the same group setup for both (probably naive and > ill-advised?). But you CANNOT have multiple structural objectclasses in a > single entry. So these requirements put group structures in direct > opposition of one another. > > Has anyone resolved this successfully, and if so, how? Overlays (which ones, > examples)? Schema mods (examples?) refer to draft-howard-rfc2307bis-02 [doc/drafts/draft-howard-rfc2307bis-xx.txt], which defines posixgroup as aux. use the schema defined in this document instead of nis. -ben
