[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: questions about memberof-refint option



M. P. wrote:
> Reading the man page, I saw memberof-refint option. From what I understand,
> when set to true, you can alter the user's  "is member of" attribute and that
> would be reflected in the group's "member" attribute. Right ?

I read the man page differently: "memberof-refint true" preserves referential
integrity for the 'member' attribute if the member entry is renamed. Normally
one would use slapo-refint for that.

=> IMO the text seems a bit ambigous.

> But, the member attribute is an operational attribute and can't be modified.
> So I started to search for an alternative and found the eduMember schema from
> here https://spaces.internet2.edu/display/macedir/OpenLDAP+eduMember. Once
> added to the installation I could use it for objects. It adds isMemberOf and
> hasMember attributes that can be setable for users and groups. But can't make
> it work with memberof overlay. When trying to add isMemberOf as
> memberof-memberof-ad it was rejected with

Wrong route...

Why do you want to change group membership by tweaking 'memberOf' anyway? Note
that this would somewhat circumvent access control delegation on group
entries. Hence you should always modify the group entries directly.

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature