Today I'm going to be somewhat lazy and just reboil an issue that was addressed here about two years ago, but which is still an issue for those using (Open)LDAP as a directory server with beehive.
With an OpenLDAP directory install on SuSE enterprise linux, LDAP-based administration of groups appears to be based on the structural objectclass posixGroup, which has plain usernames in the attribute memberUid, e.g.
At our site, several applications make use of this structure.
Now we know that beehive requires the syntax of the objectclass groupOfNames, with dns in the attribute member, e.g.:
This is quite a tricky issue, as
-groupOfNames is insufficient for managing Unix groups as it does not provide a gidNumber
-PosixGroup and groupOfNames are mutually exclusive, so we cannot store the gidNumber where the groupOfNames info lives
-SuSE Linux (and probably other Linuxes likewise) appears to have no mechanisms to automatically sync such two separate group entries (one carrying PosixGroup, the other carrying groupOfNames info)
-implementing the rfc2307bis Schema could bring posixGroup and groupOfNames info together, but still the would need to get synched.
-implementing nss_map_attribute in /etc/libnss-ldap.conf could make SuSE use groupOfNames, but we saw that the other applications using the directory are all tuned to read posixGroup format
There were plans to implement support of posixGroup structures into beehive, and these were even approved for future release (in a release after 2.1).
We have a quite cumtersome workaround for this (I can share it), but would be happy to see the following enhancement request implemented:
8278412 "ALLOW GROUP MEMBERSHIP SYNC BASED ON UID")
You are invited to tune in, in case you also facing similar problems.