[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Summary of dynamic groups



Ian Collins wrote:
Hello again,

My earlier thread appears to have been hijacked, so I'm starting a new
one for the summary of my investigations.

My current understanding is as follows:

There are three overlays that can use yes to manage groups dynamically:
dynlist, autogroup and memberof.

   - dynlist works well for including members specified in a URL to the
result of a search on a group.  The dynamic members can not be included
in a search filter.

- autogroup works well for including members specified in a URL to the
result of a search on a group. The dynamic members can be included in a
search filter, but the only supported list attribute is 'member', which
limits its use.

That's false, you can configure it to use any attribute type.

However, uniqueMember is a broken attribute type and should not be used by any LDAP software.

- memberof works well for reverse group management, including group dn
in the entries for group members.  It only works with DN-values
attributes, so it can't be used with clients that expect POSIX group
members to be listed by 'memberUid' rather than 'member'.

POSIX group / memberUid is deprecated, no new LDAP clients should be using it anyway.

uniqueMember and memberUid have been discussed at length on these mailing lists before, so I won't elaborate again here. Search the archives for context.

  From the above, I don't see a way to use OpenLDAP in an existing
environment where dynamic groups are searched for by members and don't
list their members with the 'member' attribute.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/