[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: dynlist overlay feature request
Alexander 'Leo' Bergolth wrote:
On 09/24/2009 08:43 PM, Howard Chu wrote:
Use RFC2307bis. posixGroups with memberUid are deprecated.
Even RFC2307bis says "either ... or", AFAIK it doesn't contain any
valuation which one is preferred:
It is suggested that uid and cn are used as the naming attribute
for posixAccount and posixGroup entries, respectively. Group
members may either be login names (values of memberUid) or dis-
tinguished names (values of uniqueMember).
E.g. samba recommends to use smbldaptools for managing Users and Group,
which cannot handle uniqueMembers.
uniqueMember is also deprecated.
http://www.ietf.org/id/draft-howard-rfc2307bis-02.txt
Section 5.2
Anyway, memberUIDs are still used in many large distributed setups that
cannot be easily migrated to uniqueMember style groups without major
modifications to all components involved.
So how do you estimate the complexity of adding this extension to
dynlist-attrset?
Probably easy. Patches are always welcome.
dynlist-attrset<group-oc> <URL-ad> [<member-ad>] [<result-ad>]
i.e.:
dynlist-attrset myposixGroup memberURL memberUid uid
E.g. a way to dynamically add a memberUid to each posixAccount that
contains the same data as the uid attribute? If that works, a filter like
ldap:///ou=users,dc=local,dc=site?memberUid?sub?(&(objectClass=posixAccount)(<searchfilter>))
... could work.
Or maybe another workaround could be to first add the user-account DN to
the memberUid attribute using existing dynlist features and then rewrite
it's value by extracting the username out of the DN using another
overlay? Would this be a realistic approach?
The rewrite overlay only operates on DN-valued attributes. I don't recall if
rewriting occurs before or after attribute mapping; if it occurs after then it
would not work.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/