--On Monday, June 6, 2022 7:06 PM +0200 Michael Ströder
<[email protected]> wrote:
On 6/6/22 17:35, Quanah Gibson-Mount wrote:
--On Monday, June 6, 2022 5:19 PM +0200 Michael Ströder
<[email protected]> wrote:
Like it or not, for strictly matching POSIX group names you *must*
distinguish these values no matter what the LDAP matching rule says:
memberOf: cn=Foo,ou=1,dc=example,dc=com
memberOf: cn=foo,ou=2,dc=example,dc=com
This is your personal interpretation based on focusing on the DN matching
rule.
That is not an "interpretation". Those are literally two completely
different entries as they exist in entirely different namespaces. The
first is in ou=1, the second is in ou=2. This is a fundemantal concept of
LDAP (regardless of whether or not underneath they could point to the same
entry using back-relay or slapo-rwm or something). DN's are by definition
unique and point to a singular unique object.
--Quanah
