The RFC doesn't define how only what. Maybe the SSSD maintainers can describe their approach to whether or not SSSD looks for memberOf in a CN or if it automatically switches to search mode to any groups in that CN context that it can find with a matching uid.
I suppose the White Elephant in this thread is why should we continue to use OpenLDAP when Samba-AD is available now and it works? On Tue, Jul 22, 2025 at 4:55 PM Christopher Paul via sssd-users < sssd-users@lists.fedorahosted.org> wrote: > On 7/22/25 16:00, Gregory Carter via sssd-users wrote: > > > https://unofficialaciguide.com/2019/07/31/ldap-schemas-for-aci-administrators-rfc2307-vs-rfc2307bis/ > <https://urldefense.proofpoint.com/v2/url?u=https-3A__unofficialaciguide.com_2019_07_31_ldap-2Dschemas-2Dfor-2Daci-2Dadministrators-2Drfc2307-2Dvs-2Drfc2307bis_&d=DwMFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=kNfe78trlDa8qcpE6Krv-hqja3H7VlB9J4LBxzcpgL8&m=fghJVQYUm5Bpopzx-I3fjRWs7UzLCKrjRZjZsy8HplPDfN9gXM_f4F5y4lKS3YqG&s=_OVo7RDoglen8Nxd4pOic8TRxtAaB9p23oo1ojGMHY8&e=> > "In the RFC2307 compatibility layer, we have no memberOf or anything > similar to use for identifying group membership. But we do have the > “uid=ldapy” attribute. If we wanted to set ACI policy based on this > information, we would have to authenticate the user, grab the UID > attribute, then compare it to a specific group’s list of memberUIDs (or > search through all groups to find which one has the correct memberUID)." > > Ironically, perhaps this is something SambaAD compensates for, which I > defined as RFC2307 for our schema, but I see memberOf definitions in my > users anyway so the above scenario may not apply. > > So what is your directory server and if you could check your schema > definition and see if there are any memberOf definitions? Or is it a > straight uid? > > OpenLDAP 2.5.20, using RFC2307bis schema, so there does exist memberOf > values. Which brings up another very good question. Why must a > "member=<userDN>" be used to fetch groups for RFC2307bis data when memberOf > was specifically designed to alleviate the performance problems caused by > "member=" lookups? > > -- > Chris Paul | Rex Consulting | https://www.rexconsulting.net > > -- > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
