[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: questions about memberof-refint option
Le 2015-11-20 08:19, Michael Ströder a écrit :
M. P. wrote:
Reading the man page, I saw memberof-refint option. From what I
understand,
when set to true, you can alter the user's "is member of" attribute
and that
would be reflected in the group's "member" attribute. Right ?
I read the man page differently: "memberof-refint true" preserves
referential
integrity for the 'member' attribute if the member entry is renamed.
Normally
one would use slapo-refint for that.
=> IMO the text seems a bit ambigous.
Maybe it is because english is not my native language, but reading again
the man page, it was(is still ?) a little bit confusing for me.
But, based on your point of view, I changed my test actions and I have
to admit that it tends to your direction. Yes when I rename the user,
the dn of the user is changed in the group and when the user is deleted,
it is removed from the group. I agree with you, it seems very similar to
slapo-refint which I tested too.
I wonder now, if we have the choice between both of these overlays to do
the same think, is there one that should be prefered to the other ?
But, the member attribute is an operational attribute and can't be
modified.
For correctness, I was talking about the memberOf atribute and not the
member attribute.
So I started to search for an alternative and found the eduMember
schema from
here https://spaces.internet2.edu/display/macedir/OpenLDAP+eduMember.
Once
added to the installation I could use it for objects. It adds
isMemberOf and
hasMember attributes that can be setable for users and groups. But
can't make
it work with memberof overlay. When trying to add isMemberOf as
memberof-memberof-ad it was rejected with
Wrong route...
Why do you want to change group membership by tweaking 'memberOf'
anyway?
I want to permit a "two way" group membership management, something more
flexible. First by adding members to groups objects and the other way by
adding groups to users objects. I dont know if it is clear enough and if
it is doable like this. But I try.
Note
that this would somewhat circumvent access control delegation on group
entries.
Sorry, I don't understand this part.
Hence you should always modify the group entries directly.
Yes I can do this, but for flexibility I'm looking for a way to alter
user entries and that would be reflected on group entries. For sure it
is scriptable, I know, but maybe there is a solution more integrated and
modifications written instantaneously.
Ciao, Michael.
--
------------
M. P.