[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Summary of dynamic groups
Ian Collins wrote:
Hello again,
My earlier thread appears to have been hijacked, so I'm starting a new
one for the summary of my investigations.
My current understanding is as follows:
There are three overlays that can use yes to manage groups dynamically:
dynlist, autogroup and memberof.
- dynlist works well for including members specified in a URL to the
result of a search on a group. The dynamic members can not be included
in a search filter.
- autogroup works well for including members specified in a URL to the
result of a search on a group. The dynamic members can be included in a
search filter, but the only supported list attribute is 'member', which
limits its use.
That's false, you can configure it to use any attribute type.
However, uniqueMember is a broken attribute type and should not be used by any
LDAP software.
- memberof works well for reverse group management, including group dn
in the entries for group members. It only works with DN-values
attributes, so it can't be used with clients that expect POSIX group
members to be listed by 'memberUid' rather than 'member'.
POSIX group / memberUid is deprecated, no new LDAP clients should be using it
anyway.
uniqueMember and memberUid have been discussed at length on these mailing
lists before, so I won't elaborate again here. Search the archives for context.
From the above, I don't see a way to use OpenLDAP in an existing
environment where dynamic groups are searched for by members and don't
list their members with the 'member' attribute.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/