[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: questions about memberof-refint option

To: Quanah Gibson-Mount <quanah@zimbra.com>
Subject: Re: questions about memberof-refint option
From: k c <kisscoolandthegangbang@hotmail.fr>
Date: Sun, 22 Nov 2015 23:24:47 +0100
Cc: openldap-technical@openldap.org
In-reply-to: <F97F8293E8FD0249748C5764@[192.168.1.9]>
References: <BLU436-SMTP97B8A77EAC59F818639BA8A01B0@phx.gbl> <564EC964.1090501@stroeder.com> <BLU436-SMTP11150EC1A5633535F4F7751A01A0@phx.gbl> <609B4BBE261D762439F1F2DC@[192.168.1.9]> <BLU437-SMTP51639A94B24EBF5D4401C6A0190@phx.gbl> <F97F8293E8FD0249748C5764@[192.168.1.9]>

Le Sat, 21 Nov 2015 20:51:30 -0800,
Quanah Gibson-Mount <quanah@zimbra.com> a écrit :

> --On Sunday, November 22, 2015 12:20 AM +0100 "M. P." 
> <kisscoolandthegangbang@hotmail.fr> wrote:
> 
> > Le 2015-11-21 19:59, Quanah Gibson-Mount a écrit :
> >> --On Friday, November 20, 2015 2:59 PM +0100 "M. P."
> >> <kisscoolandthegangbang@hotmail.fr> wrote:
> >>
> >>> I want to permit a "two way" group membership management, something
> >>> more
> >>> flexible. First by adding members to groups objects and the other way
> >>> by
> >>> adding groups to users objects. I dont know if it is clear enough and
> >>> if
> >>> it is doable like this. But I try.
> >>
> >> Why not use dynamic groups?
> >
> > I'm not sure how dynamic groups could help me here.
> 
> You just define groups based off an attribute in the user entry.  Thus it 
> is a single write op to update the membership for a given user, and the 
> change in user membership is instant.  If you do it sanely, you can 
> trivially determine what groups a user belongs to by looking at the entry, 
> and as long as the ldap client is using ldapcompare etc properly for group 
> membership checks, it appears just like any "static" ldap group to the 
> client.

It is not exactly what I'm looking for but I'll certainly use dynamic groups
later for something else. 

To make it clearer, I have 2 users, userA and userB, and a group, groupA. If I
add a user by his dn uid=userA,ou... to cn=groupA, slapo-memberof will add to
userA an attribute isMemberOf=cn=groupA,ou... (isMemberOf is a modifiable
replacement for memberOf in my case).
What I want to make work is when I add an attribute isMemberOf=cn=groupA to
userB, then in cn=groupA I want to see an attibute member=uid=userB,ou... . Then
if for any reason I want to delete the group membership by removing
member=uid=userB,ou... from cn=groupA, it should remove the attribute
isMemberOf=cn=GroupA,ou... from uid=userB,ou... 
> 
> You can even use the memberOf attribute for creating the dynamic groups.

The memberof attribute is a readonly attribute. How could it be modified ? 

> 
> 
> --Quanah
> 
> 
> --
> 
> Quanah Gibson-Mount
> Platform Architect
> Zimbra, Inc.
> --------------------
> Zimbra ::  the leader in open source messaging and collaboration
> 
>

Follow-Ups:
- Re: questions about memberof-refint option
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

References:
- questions about memberof-refint option
  - From: "M. P." <kisscoolandthegangbang@hotmail.fr>
- Re: questions about memberof-refint option
  - From: Michael Ströder <michael@stroeder.com>
- Re: questions about memberof-refint option
  - From: "M. P." <kisscoolandthegangbang@hotmail.fr>
- Re: questions about memberof-refint option
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
- Re: questions about memberof-refint option
  - From: "M. P." <kisscoolandthegangbang@hotmail.fr>
- Re: questions about memberof-refint option
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

Prev by Date: LMDB data growth - overflow pages
Next by Date: Re: questions about memberof-refint option
Index(es):
- Chronological
- Thread