Arthur de Jong wrote: > On Wed, 2013-12-25 at 16:44 +0100, Michael StrÃder wrote: >> Furthermore there's slapo-deref which seems to work. The client >> control can be used to retrieve all the 'uid' values in member >> entries. The NSS provider has to extract the 'uid' values from the >> response control value. >> >> See https://tools.ietf.org/html/draft-masarati-ldap-deref > > Sadly, the Internet Draft expired without turning into an RFC. Like many other expired Internet drafts we use (e.g. draft-behera-ldap-password-policy in the context of the thread). > I also can't find any documentation on slapo-deref, do you have any > pointers? There's no official documentation yet. Simply build and enable the overlay and try yourself. > Also, do you have any idea whether this is implemented by a significant > part of the LDAP servers out there (is it worth the effort to implement > this client-side)? It works with OpenLDAP servers. AFAICS sssd has client code using it. > There is also a memberof overlay that populates memberOf attributes in > users. Would it be difficult to make a memberuid overlay that populates > memberUid attributes in the group? Of course you can implement a slapo-memberuid and a slapo-attrvalueref if you have enough spare time. There's also some experimental code in OpenLDAP's contrib/ to use posixGroup/memberUID in ACLs. But IMO there's absolutely no valid reason for wasting the time doing so. Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature