[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: can posixGroup be configured to contain other posixGroups?


On Sunday 03 November 2002 11:56, Oliver George wrote:
> I can see that posixGroup is intended to only contain memberuid's in the
> same way that /etc/group lists uid's.  It's logical at times for groups
> to be members of other groups, how do administrators get around this
> limitation?
posixGroup is the way to represent /etc/group in LDAP.
Its attribute memberUid may have havlues that are either
user account names or DNs (according to Luke Howard's 
extension to RFC2307 http://www.padl.com/~lukeh/rfc2307bis.txt
[last paragraph on page 11])

Although it is technically no problem to write DNs of groups into
the memberUid attribute I doubt if any other software than your own
can make use of it. 
Using group DNs as memberUids may even break other software
since it does not expect the nested-gruops situation.
(The intention of posixGroup was to create an LDAP equivalent
for /etc/groups which does not allow nested groups)

To create recursive groups I'd suggest using other objctclasses
such as groupOfNames or groupOfUniqueNames.


Peter Marschall     |   eMail: peter.marschall@mayn.de
Scheffelstraße 15   |          peter.marschall@is-energy.de
97072 Würzburg      |   Tel:   0931/14721
PGP:  D7 FF 20 FE E6 6B 31 74  D1 10 88 E0 3C FE 28 35