[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: questions about memberof-refint option



Le 2015-11-20 08:19, Michael Ströder a écrit :
M. P. wrote:
Reading the man page, I saw memberof-refint option. From what I understand, when set to true, you can alter the user's "is member of" attribute and that
would be reflected in the group's "member" attribute. Right ?

I read the man page differently: "memberof-refint true" preserves referential integrity for the 'member' attribute if the member entry is renamed. Normally
one would use slapo-refint for that.

=> IMO the text seems a bit ambigous.

Maybe it is because english is not my native language, but reading again the man page, it was(is still ?) a little bit confusing for me.

But, based on your point of view, I changed my test actions and I have to admit that it tends to your direction. Yes when I rename the user, the dn of the user is changed in the group and when the user is deleted, it is removed from the group. I agree with you, it seems very similar to slapo-refint which I tested too.

I wonder now, if we have the choice between both of these overlays to do the same think, is there one that should be prefered to the other ?


But, the member attribute is an operational attribute and can't be modified.

For correctness, I was talking about the memberOf atribute and not the member attribute.

So I started to search for an alternative and found the eduMember schema from here https://spaces.internet2.edu/display/macedir/OpenLDAP+eduMember. Once added to the installation I could use it for objects. It adds isMemberOf and hasMember attributes that can be setable for users and groups. But can't make
it work with memberof overlay. When trying to add isMemberOf as
memberof-memberof-ad it was rejected with

Wrong route...

Why do you want to change group membership by tweaking 'memberOf' anyway?

I want to permit a "two way" group membership management, something more flexible. First by adding members to groups objects and the other way by adding groups to users objects. I dont know if it is clear enough and if it is doable like this. But I try.

Note
that this would somewhat circumvent access control delegation on group
entries.

Sorry, I don't understand this part.

Hence you should always modify the group entries directly.

Yes I can do this, but for flexibility I'm looking for a way to alter user entries and that would be reflected on group entries. For sure it is scriptable, I know, but maybe there is a solution more integrated and modifications written instantaneously.

Ciao, Michael.

--
------------

M. P.