Best practice for managing POSIX group membership with additional attributes in LDAP

StackOverflow https://stackoverflow.com/questions/21257513

  •  30-09-2022
  •  | 
  •  

Domanda

We are currently designing a new member administration for our study association in LDAP, using OpenLDAP 2.3.31 distributed with Debian. One of the requirements is that we need to record which members are in committees. To this end, we have created a subclass of organizationalUnit, called x-FMFCommittee and a subclass of organizationalRole caled x-FMFCommitteeRole. Now, all roles (such as president, treasurer, etc.) that are associated with a committee are located in the subtree of the committee entry. The DN of the members that take on this role are then set as a roleOccupant attribute on the x-FMFCommitteeRole. This works perfectly fine.

However, we also give our users access to a Linux shell and Windows desktops (using Samba) and for this we would also like to administer POSIX group membership. To this end, every committee we want to do this for, also has the objectclass posixGroup (as per RFC2307). In order to get the group members and the groups associated to a user, we need to set the memberUid attribute on the committee entry whenever a member occupies a role in the committee.

We have tried doing this using the dynlist overlay, but this fails when doing reverse group lookups. The only option we see now is to do this all manually, but we really would like to automate this, to provide easier maintenance in the future as administrators tend to change often at our association.

Has anybody come across a similar scenario before, or does anyone know a solution to this problem?

È stato utile?

Soluzione

I would suggest that you simply get rid of the first implementation and just use posixGroup. Database denormalization is always a bad idea, whatever form it takes.

And you don't need to extend schemas for this problem. If you want to distinguish these committees just put them them in their own subtree.

But I'd like more detail on why using a dynamic list doesn't work. You could use the memberOf overlay instead of having to do reverse lookups.

Autorizzato sotto: CC-BY-SA insieme a attribuzione
Non affiliato a StackOverflow
scroll top