Michael Ströder wrote: > On 8/21/22 16:51, Alceu Rodrigues de Freitas Junior wrote: >> I do know memberOf is not a requirement: regular exporting data from >> /etc/passwd, /etc/shadow and /etc/group as LDIF files are working as >> expected. >> >> But wouldn't it be a better option to use it instead of handling data in >> multiple places (users and groups) instead of just the groups entries in the >> tree? >> >> At least this is my understanding regarding the usefulness of memberOf. Not >> sure either if that would become a performance issue. > > Not sure I really understand what you're after but I give it a try: > > With POSIX groups besides determining user's group membership you also have > to read some POSIX group attributes like cn and gidNumber from the LDAP > posixGroup > entry. > > Simple NSS clients can build the passwd and group maps by just reading all > posixGroup and posixAccount entries at once (full enumeration). > > This might not work in bigger environments with several ten thousand of also > possibly very large groups. So some NSS clients allow to disable enumerating > the > whole maps and try to read data just when needed. In such a situation it can > be useful to make use of memberOf attribute, e.g. when determining the group > membership of a single user, to avoid having to read the full and possible > very big group entries. Together with slapo-deref the NSS client can also > read the > group entries' POSIX attribute gidNumber referenced by user entry in one > round-trip.
You can just search for all groups where member=<user>, returning no attributes, or returning only cn and gidNumber. Again, memberOf is not helpful here and no other extensions are needed. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
