Re: questions about memberof-refint option

["M. P." <kisscoolandthegangbang@hotmail.fr>]

Le 2015-11-20 08:19, Michael Ströder a écrit :
> M. P. wrote:
> > Reading the man page, I saw memberof-refint option. From what I 
> > understand,
> > when set to true, you can alter the user's  "is member of" attribute 
> > and that
> > would be reflected in the group's "member" attribute. Right ?
>
> I read the man page differently: "memberof-refint true" preserves 
> referential
> integrity for the 'member' attribute if the member entry is renamed. 
> Normally
> one would use slapo-refint for that.
>
> => IMO the text seems a bit ambigous.

Maybe it is because english is not my native language, but reading again 
the man page, it was(is still ?) a little bit confusing for me.

But, based on your point of view, I changed my test actions and I have 
to admit that it tends to your direction. Yes when I rename the user, 
the dn of the user is changed in the group and when the user is deleted, 
it is removed from the group. I agree with you, it seems very similar to 
slapo-refint which I tested too.

I wonder now, if we have the choice between both of these overlays to do 
the same think, is there one that should be prefered to the other ?

> > But, the member attribute is an operational attribute and can't be 
> > modified.

For correctness, I was talking about the memberOf atribute and not the 
member attribute.

> > So I started to search for an alternative and found the eduMember 
> > schema from
> > here https://spaces.internet2.edu/display/macedir/OpenLDAP+eduMember. 
> > Once
> > added to the installation I could use it for objects. It adds 
> > isMemberOf and
> > hasMember attributes that can be setable for users and groups. But 
> > can't make
> > it work with memberof overlay. When trying to add isMemberOf as
> > memberof-memberof-ad it was rejected with
>
> Wrong route...
>
> Why do you want to change group membership by tweaking 'memberOf' 
> anyway?

I want to permit a "two way" group membership management, something more 
flexible. First by adding members to groups objects and the other way by 
adding groups to users objects. I dont know if it is clear enough and if 
it is doable like this. But I try.

> Note
> that this would somewhat circumvent access control delegation on group
> entries.

Sorry, I don't understand this part.

> Hence you should always modify the group entries directly.

Yes I can do this, but for flexibility I'm looking for a way to alter 
user entries and that would be reflected on group entries. For sure it 
is scriptable, I know, but maybe there is a solution more integrated and 
modifications written instantaneously.
> Ciao, Michael.

--
------------

M. P.