Re: strategy for getting groupOfNames (AD) and posixAccount (Unix) to coexist?

[btb@bitrate.net]

On Feb 21, 2014, at 14.14, Jefferson Davis <jdavis@standard.k12.ca.us> wrote:

> This has been beating me like a red-headed stepchild...
> 
> In the AD world, groupOfNames is expected (in combination with the member attribute, provides for reverse group resolution, ie users by group membership AND groups by member inclusion).
> 
> On the unix side of the fence, groups REQUIRE a gidNumber in order to resolve group membership, using posixGroup structural OC in conjunction with memberUID.
> 
> In attempting to future-proof our ldap services, and to accommodate the AD-Focused nature of commercial products, I'm attempting to get this to all work automatically, ie use the same group setup for both (probably naive and ill-advised?).  But you CANNOT have multiple structural objectclasses in a single entry.  So these requirements put group structures in direct opposition of one another.  
> 
> Has anyone resolved this successfully, and if so, how?  Overlays (which ones, examples)?  Schema mods (examples?)

refer to draft-howard-rfc2307bis-02 [doc/drafts/draft-howard-rfc2307bis-xx.txt], which defines posixgroup as aux.  use the schema defined in this document instead of nis.

-ben