On 9/2/20 6:57 PM, Quanah Gibson-Mount wrote: > --On Wednesday, September 2, 2020 12:11 PM +0200 Olaf Hopp > <[email protected]> wrote: >> we are at the point of reorganising our LDAP. >> Currently we only have posixGroups, but in future we also want to support >> groupOfNames or groupOfUniqueNames >> My question what is the common sense of usage ? >> groupOfNames or groupOfUniqueNames ? >> >> I know your answers, you will say "it depends on your applications" >> but currently I have no application using it. All my current applications >> use my posixGroups. I just want to extend my LDAP for future use cases. > > I generally reocommend groupOfNames for LDAP groups, which is a > different concept than *NIX posix groups.
In opposite to some other LDAP servers OpenLDAP's slapd support inheriting an object class from multiple parent classes. This can be used to solve this problem with a hybrid group schema: https://gitlab.com/ae-dir/ansible-ae-dir-server/-/blob/master/files/schema/ae-dir.schema#L317 groupOfEntries is used to allow empty groups without members. And of course you have to ensure that attributes 'member' and 'memberUid' are in sync. Ciao, Michael.
