Re: Adding Members to Groups

[Howard Chu <hyc@symas.com>]

Michael Ströder wrote:
> Aneela Saleem wrote:
> > I have used 'posixGroup' objectClass for creating groups, and
> > 'posixAccount' object class for creating users, which uses 'gidNumber'
> > property to associate to a specific group (created by posixGroup).
>
> No! This is likeky a big misunderstanding.
>
> The attribute 'gidNumber' in 'posixAccount' entry solely specifies the
> *primary* group of a POSIX user account (like in /etc/passwd).
>
> When using traditional 'posixGroup' entries the multi-valued attribute
> contains 'memberUID' the usernames of the group members.
>
> > I have to sync LDAP users/groups in Apache Ranger, that uses 'groupOfNames'
> > object class and 'member/memberof' property in user object. But in
> > 'groupOfNames' objectClass we have to add members at the time of creation
> > of group.
> >
> > Is there any way that we can add members to already created groups later on?
>
> Yes. With a LDAP modify operation.

You missed the actual question.

groupOfNames REQUIRES the member attribute, therefore it's not possible to 
create an empty group and add members to it later.

There ought to be an FAQ article for this.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/