Michael Ströder wrote:
Michael Ströder wrote:
Arthur de Jong wrote:
Since you cannot do joins in LDAP, every group with member attributes
such as cn=Joe,ou=People,dc=... will require another lookup per member
to find the username (uid attribute).
This very much depends on the implementation of the NSS provider. AFAIK sssd
simply searches all posixAccount and posixGroup entries and resolves group
membership internally from the local sssd cache database. If a NSS provider
does not support something similar it should be expanded to do so or one
should not use it at all.
Furthermore there's slapo-deref which seems to work. The client control can be
used to retrieve all the 'uid' values in member entries. The NSS provider has
to extract the 'uid' values from the response control value.
See https://tools.ietf.org/html/draft-masarati-ldap-deref
Was going to reply but Michael beat me to it. Reiterating all the points
Michael made. There is no good reason to use memberUid or uniqueMember in
LDAP, both of these schema elements are deeply flawed.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/