Enable posix group membership lookups in ldap #196
Conversation
|
Hi Daniel, thanks, adding posixGroup support looks useful, after all other POSIX attributes are already mapped to MAVIS. I'd probably just put posixGroup evaluation inside the main loop (the expand_* routines are for recursion mainly), and I think the gidNumber from posixAccount should also be resolved and included. Plus, adding all gidNumbers to the MAVIS GIDS attribute could be a good idea, at least for future use. I'm a bit reluctant to add these changes right now as perl/mavis_tacplus-ng_ldap.pl, python/mavis_tacplus_ldap.py and ldapmavis-mt.c (you've already mentioned that one) should have feature parity. Also, using the OpenLDAP dynlist overlay might possibly be an option to map posixGroup attributes to memberOf, allowing for simplified group handling. I think I can have another look at posixGroup support options either next weekend or later next week. Cheers, Marc |
|
Sure. This was basically just an idea and some thoughts to get the posixGroup support completed. I would also keep the perl implementation in sync with the py/c versions, no need to rush. Regarding dynlist. I haven't used the overlay yet, but I know it exists. But dynlist isn't the most easiest way to handle reverse group membership resolvings, nor is there an easy guide to it, as dynlist has many usage lists. |
2 participants
On some openldap systems group memberships are based on posixgroups. Sure a migration to groupOfNames can be done or planned, but it's easier to support posixgroups until every ldap directory and structure has been updated (which often takes time and coordination with other parties using the directory.
I've added the group membership lookup to the perl script first, the
mtversion should be added as well, but I wanted to hear your point first. Since posixGroups in the old RFC2307 (not RFC2307bis) don't support nested groups, we can skip this stop for the moment.