Re: can posixGroup be configured to contain other posixGroups?

["Oliver George" <me@olivergeorge.com>]

> posixGroup is the way to represent /etc/group in LDAP.
> Its attribute memberUid may have havlues that are either
> user account names or DNs (according to Luke Howard's
> extension to RFC2307 http://www.padl.com/~lukeh/rfc2307bis.txt
> [last paragraph on page 11])

Cool, if I understand that right my posixGroup can have both
- memberUid elements (one for each user)
- DNs which act as a reference to a groupOfUniqueNames which might be a
list of every user in a logical group.

So, if i'm even close to understanding this properly, my posixGroup can be
an aggregation of a series of user lists which are stored in the ldap
database as groupOfUniqueNames.

> Although it is technically no problem to write DNs of groups into
> the memberUid attribute I doubt if any other software than your own can
> make use of it.
>
> Using group DNs as memberUids may even break other software
> since it does not expect the nested-gruops situation.
> (The intention of posixGroup was to create an LDAP equivalent
> for /etc/groups which does not allow nested groups)
>
> To create recursive groups I'd suggest using other objctclasses
> such as groupOfNames or groupOfUniqueNames.

I think I understand, I need to try it out and see.


thanks heaps, Oliver.