Ryan Tandy wrote: > On Wed, Sep 07, 2016 at 11:10:30PM +0200, MegaBrutal wrote: >> I also figured that memberOf would need groupOfNames groups, while I need >> posixGroup type groups. I evaluated the possibility to use groupOfNames, but >> it lacks the necessary gidNumber attribute which is a requirement for Unix >> groups. > > This is the key issue. > > A draft schema known as "rfc2307bis" exists, which replaces (!) the published > RFC2037 schema with one compatible with groupOfNames. > > A published solution to this problem does not currently exist. In the past year > there have been some discussions on the ldapext list. You can find the archives > of that list at: > > https://www.ietf.org/mailman/listinfo/ldapext Yet another approach: ;-) In Æ-DIR I've declared hybrid groups derived from posixGroup (RFC 2307) and groupOfEntries for empty groups (see [1]) to accommodate legacy components not capable of being configured to RFC2307bis: # This allows mixed group schema # also "dynamic groups" based on groupOfURLs/memberURL objectclass ( ae-dir-oc:1 NAME 'aeGroup' X-ORIGIN 'AE-DIR' DESC 'AE-DIR: Group entry' STRUCTURAL SUP ( groupOfEntries $ posixGroup $ groupOfURLs $ aeObject ) MUST ( description ) ) Furthermore a constraint to ensure consistency of 'member' and 'memberUID': constraint_attribute memberUID,member set "this/memberUID & this/member/uid" restrict="ldap:///ou=ae-dir??sub"; [1] https://tools.ietf.org/html/draft-findlay-ldap-groupofentries Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature