Hi Andrew (and the rest of the group!)
Perhaps it might help if I explained what I was trying to accomplish then, if I've made any mistakes in my thinking, they can be corrected :-).
What I want to do is use the LDAP store for two purposes: Linux authentication and syncing with Google Apps for profile/group information and SSO. To that end, and specifically focussing on groups, I need a group in LDAP to serve two purposes: to act as a security group (i.e. it needs a gidNumber and be a posixGroup so that Linux will use it for group membership and ACLs) and to act as an email group (at a minimum have a list of members, an owner, a description and an email address).
In my approach to the choice of classes to use here, I find myself being somewhat constrained by the tools I want to use. Atlassian Crowd is being used as the means of providing Google SSO and OpenID functionality. When it comes to groups, Crowd "prefers" groupOfNames or groupOfUniqueNames. Although I can reconfigure Crowd to "see" posixGroup entries instead of groupOfUniqueNames entries, it doesn't see the members, presumably because they are UIDs and not DNs.
I'm also using LDAP Account Manager as the primary tool to allow administrators and staff manage information stored in LDAP. For group management, it supports both posixGroup and groupOfUniqueNames.
I can, in theory at least, add extensibleObject to the groups defined as posixGroup so that I can then add description, displayName, mail and owner. That gives me a different problem when it comes to syncing the groups up to Google, though, because it also (like Crowd) seems to be expecting attribute values for members to be DNs.
So, I'm open to suggestions here. I thought I had a fairly straightforward requirement but the LDAP world doesn't seem to have anything that meets the requirement.
Thanks for any feedback.