Re: groupOfNames vs. groupOfUniqueNames

2020-09-07 Thread Quanah Gibson-Mount 




--On Monday, September 7, 2020 1:14 PM +0200 Olaf Hopp  
wrote:



So thanks for al your valuable input.
I really will go with "groupOfNames".

But just for the information:
VMware virtual center connected to an openldap server as authentication
source insist(!) of groups having "groupOfUniqueNames".
They do a search on this objectClass and it is not configurable !
See https://kb.vmware.com/s/article/2064977


I would file a bug with VMware, there's no reason for such a limitation to 
exist.


--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

Re: groupOfNames vs. groupOfUniqueNames

2020-09-07 Thread Olaf Hopp 

So thanks for al your valuable input.
I really will go with "groupOfNames".

But just for the information:
VMware virtual center connected to an openldap server as authentication
source insist(!) of groups having "groupOfUniqueNames".
They do a search on this objectClass and it is not configurable !
See https://kb.vmware.com/s/article/2064977

Regards, Olaf

--
Karlsruher Institut für Technologie (KIT)
ATIS - Abt. Technische Infrastruktur, Fakultät für Informatik

Dipl.-Geophys. Olaf Hopp
- Leitung IT-Dienste -

Am Fasanengarten 5, Gebäude 50.34, Raum 009
76131 Karlsruhe
Telefon: +49 721 608-43973
Fax: +49 721 608-46699
E-Mail: olaf.h...@kit.edu
atis.informatik.kit.edu

www.kit.edu

KIT – Die Forschungsuniversität in der Helmholtz-Gemeinschaft

Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert.




smime.p7s
Description: S/MIME Cryptographic Signature

Antw: [EXT] Re: groupOfNames vs. groupOfUniqueNames

2020-09-04 Thread Ulrich Windl 
>>> "Ulrich Windl"  schrieb am 03.09.2020
um
08:29 in Nachricht <5f508d2d02a10003b...@gwsmtp.uni-regensburg.de>:
 Dieter Klünter  schrieb am 02.09.2020 um 19:04 in
> Nachricht <20200902190443.664d1...@pink.fritz.box>:
>> Am Wed, 2 Sep 2020 11:11:56 +0200
>> schrieb Olaf Hopp :
>> 
>>> Hi everybody,
>>> 
>>> we are at the point of reorganising our LDAP.
>>> Currently we only have posixGroups, but in future we also want to
>>> support groupOfNames or groupOfUniqueNames
>>> My question what is the common sense of usage ?
>>> groupOfNames or groupOfUniqueNames ?
>>> 
>>> I know your answers, you will say "it depends on your applications"
>>> but currently I have no application using it. All my current
>>> applications use my posixGroups. I just want to extend my LDAP for
>>> future use cases.
>>> 
>>> So what to take  : groupOf Names or groupOfUniqueNames besides
>>> posixGroup ?
>> 
>> I would vote for groupOfnames. If you prefer groupOfUniqueNames you
>> should provide uniqueness.
>> 
>> https://ldapwiki.com/wiki/GroupOfUniqueNames%20vs%20groupOfNames 
>> https://ldapwiki.com/wiki/UniqueMember 
>> 
>> The use of posixgroup depends on your requirements.
> 
> Actually I had never considered adding suplicates to a groupOfNames, mostly

s/suplicates/duplicates/ # sorry

> because I cannot imaging a use case; anyone have a usew case?
> 
>> 
>> -Dieter
>> 
>> -- 
>> Dieter Klünter | Systemberatung
>> http://sys4.de 
>> GPG Key ID: E9ED159B
>> 53°37'09,95"N
>> 10°08'02,42"E

Antw: [EXT] Re: groupOfNames vs. groupOfUniqueNames

2020-09-03 Thread Ulrich Windl 
>>> Dieter Klünter  schrieb am 02.09.2020 um 19:04 in
Nachricht <20200902190443.664d1...@pink.fritz.box>:
> Am Wed, 2 Sep 2020 11:11:56 +0200
> schrieb Olaf Hopp :
> 
>> Hi everybody,
>> 
>> we are at the point of reorganising our LDAP.
>> Currently we only have posixGroups, but in future we also want to
>> support groupOfNames or groupOfUniqueNames
>> My question what is the common sense of usage ?
>> groupOfNames or groupOfUniqueNames ?
>> 
>> I know your answers, you will say "it depends on your applications"
>> but currently I have no application using it. All my current
>> applications use my posixGroups. I just want to extend my LDAP for
>> future use cases.
>> 
>> So what to take  : groupOf Names or groupOfUniqueNames besides
>> posixGroup ?
> 
> I would vote for groupOfnames. If you prefer groupOfUniqueNames you
> should provide uniqueness.
> 
> https://ldapwiki.com/wiki/GroupOfUniqueNames%20vs%20groupOfNames 
> https://ldapwiki.com/wiki/UniqueMember 
> 
> The use of posixgroup depends on your requirements.

Actually I had never considered adding suplicates to a groupOfNames, mostly
because I cannot imaging a use case; anyone have a usew case?

> 
> -Dieter
> 
> -- 
> Dieter Klünter | Systemberatung
> http://sys4.de 
> GPG Key ID: E9ED159B
> 53°37'09,95"N
> 10°08'02,42"E

Re: groupOfNames vs. groupOfUniqueNames

2020-09-02 Thread Michael Ströder 
On 9/2/20 6:57 PM, Quanah Gibson-Mount wrote:
> --On Wednesday, September 2, 2020 12:11 PM +0200 Olaf Hopp
>  wrote:
>> we are at the point of reorganising our LDAP.
>> Currently we only have posixGroups, but in future we also want to support
>> groupOfNames or groupOfUniqueNames
>> My question what is the common sense of usage ?
>> groupOfNames or groupOfUniqueNames ?
>>
>> I know your answers, you will say "it depends on your applications"
>> but currently I have no application using it. All my current applications
>> use my posixGroups. I just want to extend my LDAP for future use cases.
> 
> I generally reocommend groupOfNames for LDAP groups, which is a
> different concept than *NIX posix groups.

In opposite to some other LDAP servers OpenLDAP's slapd support
inheriting an object class from multiple parent classes.

This can be used to solve this problem with a hybrid group schema:

https://gitlab.com/ae-dir/ansible-ae-dir-server/-/blob/master/files/schema/ae-dir.schema#L317

groupOfEntries is used to allow empty groups without members.

And of course you have to ensure that attributes 'member' and
'memberUid' are in sync.

Ciao, Michael.

Re: groupOfNames vs. groupOfUniqueNames

2020-09-02 Thread Dieter Klünter 
Am Wed, 2 Sep 2020 11:11:56 +0200
schrieb Olaf Hopp :

> Hi everybody,
> 
> we are at the point of reorganising our LDAP.
> Currently we only have posixGroups, but in future we also want to
> support groupOfNames or groupOfUniqueNames
> My question what is the common sense of usage ?
> groupOfNames or groupOfUniqueNames ?
> 
> I know your answers, you will say "it depends on your applications"
> but currently I have no application using it. All my current
> applications use my posixGroups. I just want to extend my LDAP for
> future use cases.
> 
> So what to take  : groupOf Names or groupOfUniqueNames besides
> posixGroup ?

I would vote for groupOfnames. If you prefer groupOfUniqueNames you
should provide uniqueness.

https://ldapwiki.com/wiki/GroupOfUniqueNames%20vs%20groupOfNames
https://ldapwiki.com/wiki/UniqueMember

The use of posixgroup depends on your requirements.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: groupOfNames vs. groupOfUniqueNames

2020-09-02 Thread Quanah Gibson-Mount 




--On Wednesday, September 2, 2020 12:11 PM +0200 Olaf Hopp 
 wrote:



Hi everybody,

we are at the point of reorganising our LDAP.
Currently we only have posixGroups, but in future we also want to support
groupOfNames or groupOfUniqueNames
My question what is the common sense of usage ?
groupOfNames or groupOfUniqueNames ?

I know your answers, you will say "it depends on your applications"
but currently I have no application using it. All my current applications
use my posixGroups. I just want to extend my LDAP for future use cases.


I generally reocommend groupOfNames for LDAP groups, which is a different 
concept than *NIX posix groups.


Regards,
Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

groupOfNames vs. groupOfUniqueNames

2020-09-02 Thread Olaf Hopp 

Hi everybody,

we are at the point of reorganising our LDAP.
Currently we only have posixGroups, but in future we also want to support
groupOfNames or groupOfUniqueNames
My question what is the common sense of usage ?
groupOfNames or groupOfUniqueNames ?

I know your answers, you will say "it depends on your applications"
but currently I have no application using it. All my current applications
use my posixGroups. I just want to extend my LDAP for future use cases.

So what to take  : groupOf Names or groupOfUniqueNames besides posixGroup ?

Regards,
Olaf


--
Karlsruher Institut für Technologie (KIT)
ATIS - Abt. Technische Infrastruktur, Fakultät für Informatik

Dipl.-Geophys. Olaf Hopp
- Leitung IT-Dienste -

Am Fasanengarten 5, Gebäude 50.34, Raum 009
76131 Karlsruhe
Telefon: +49 721 608-43973
Fax: +49 721 608-46699
E-Mail: olaf.h...@kit.edu
atis.informatik.kit.edu

www.kit.edu

KIT – Die Forschungsuniversität in der Helmholtz-Gemeinschaft

Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert.




smime.p7s
Description: S/MIME Cryptographic Signature