On 7/22/25 16:00, Gregory Carter via sssd-users wrote:
https://unofficialaciguide.com/2019/07/31/ldap-schemas-for-aci-administrators-rfc2307-vs-rfc2307bis/ <https://urldefense.proofpoint.com/v2/url?u=https-3A__unofficialaciguide.com_2019_07_31_ldap-2Dschemas-2Dfor-2Daci-2Dadministrators-2Drfc2307-2Dvs-2Drfc2307bis_&d=DwMFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=kNfe78trlDa8qcpE6Krv-hqja3H7VlB9J4LBxzcpgL8&m=fghJVQYUm5Bpopzx-I3fjRWs7UzLCKrjRZjZsy8HplPDfN9gXM_f4F5y4lKS3YqG&s=_OVo7RDoglen8Nxd4pOic8TRxtAaB9p23oo1ojGMHY8&e=> "In the RFC2307 compatibility layer, we have no memberOf or anything similar to use for identifying group membership. But we do have the “uid=ldapy” attribute. If we wanted to set ACI policy based on this information, we would have to authenticate the user, grab the UID attribute, then compare it to a specific group’s list of memberUIDs (or search through all groups to find which one has the correct memberUID)."

Ironically, perhaps this is something SambaAD compensates for, which I defined as RFC2307 for our schema, but I see memberOf definitions in my users anyway so the above scenario may not apply.

So what is your directory server and if you could check your schema definition and see if there are any memberOf definitions?  Or is it a straight uid?

OpenLDAP  2.5.20, using RFC2307bis schema, so there does exist memberOf values. Which brings up another very good question. Why must a "member=<userDN>" be used to fetch groups for RFC2307bis data when memberOf was specifically designed to alleviate the performance problems caused by "member=" lookups?

--
Chris Paul | Rex Consulting |https://www.rexconsulting.net
-- 
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to