with an OpenLDAP directory install on SuSE enterprise linux,
LDAP-based administration of groups appears to be based on the
structural objectclass posixGroup, which has plain usernames in the
attribute memberUid, e.g.
Through Oracle Support we found out that currently nothing can be said
if and when beehive 1.x might support posixGroup entries, too (there
is an enhancement request 8278412 "ALLOW GROUP MEMBERSHIP
SYNC BASED ON UID").
Our workaround will probably be writing a filtering procedure
transforming the posixGroup structure in
to an equivalent groupOfNames structure within
Are there other current or potential beehive customers with
OpenLDAP that are facing the same problem?
Did perhaps even some of you also implement a workaround? Would be
interested to know or discuss this, as this is quite an
issue for us.
-groupOfNames is insufficient for managing Unix groups as it does not
provide a gidNumber
-PosixGroup and groupOfNames are mutually exclusive, so we cannot
store the gidNumber where the groupOfNames info lives
-SuSE Linux appears to have no mechanisms to automatically sync such
two separate group entries (one carrying PosixGroup, the other
carrying groupOfNames info)
-implementing the rfc2307bis Schema could bring posixGroup and
groupOfNames info together, but still the would need to get synched.
-implementing nss_map_attribute in /etc/libnss-ldap.conf could make
SuSE use groupOfNames, but we saw that the other applications using
the directory are all tuned to read posixGroup format
I second that request. We're running Apple's OpenDirectory, which is basically OpenLDAP accompanied by some Apple-bred software. We, too, would need Beehive to be able to manage posixGroups, since this is the way that OpenDirectory manages its groups.