[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: question: dynamic groups / reverse group membership



Andreas Schoe wrote:

I think the configuration of dynamic groups is more flexible than the static method (memberof). I can create any ldapserch to get a list depending on all kind of attributes or objectclasses. If I configure the reverse group membership overlay I have to use the dn of the group and the dn of the entry. To change the objectclasses on which the memberof attribute depends or change the attribute name on which the dn depends is possible, but thats it.

Example (static):
dn: cn=testgroup,ou=Groups,dc=example
uniqueMember: uid=testuser,ou=People,dc=example
...

dn: uid=testuser,ou=People,dc=example
memberOf: cn=testgroup,ou=Groups,dc=example
...

In that example the configuration is for both sides. If I add a Member to cn=testgroup the memberOf is add to uid=testuser and if I add a Group to uid=testuser the uniqueMember is add to cn=testgroup.

Example (dynamic):
dn: cn=testgroup,ou=Groups,dc=example
labeldURI: ldap:///ou=people,dc=example??one?(&(objectclass=person)(departmentNumber=test))
uniqueMember: uid=testuser,ou=People,dc=example
...

dn: uid=testuser,ou=People,dc=example
departmentNumber: test
...

In that example the group attribute (departementNumber) is mapped to a specific groupname (cn).

With static groups I can do a search like that:
ldapsearch -h ldap -b dc=example '(uniquemember=uid=testuser,ou=People,dc=example)' dn

With dynamic groups the search result is empty because the entry (uniquemember) doesn't exists in the underlying DB.

Question:

Is it possible to copy/configure the behavior from dynamic groups to reverse group membership? I have some applications that use searches with '(uniquemember=uid={uid},dc=example)'. These applications need the static entries.

I don't really understand what reverse membership and dynamic groups have to do with each other. It sounds like you're mixing up apples and oranges.

In any case, if you need to check whether a specific user is memeber of a dynamic group, you can use compare instead of search. That triggers dynamic group expansion.

If you need to find out what groups a specific user is member of, that's a different business, and dynamic groups really do not help.

Please search the archives for endless discussions about why dynamic group expansion during search is not a good idea. As a wild guess, dynamic reverse group membership (if I understood your final question) could be even worse.

p.