Creating POSIX group without members in LDAP

Question

I am running OpenLDAP database with activated rfc2307bis schema. I'm trying now to load new groups in my testing instance (Debian) and everything works fine. With the old rfc2307 (NIS) schema, it was not necessary to specify members of a group (memberUid attribute). Now, when I need to use groupOfNames with one of these posixGroups, I am forced to specify at least one member of that group. How I can prevent this (more or less) redundant information and what is the best way to solve this?

score 1 · Accepted Answer · edited Oct 07 '21 at 07:24

1

I found the right solution using groupOfEntries class which is defined in this draft. The groupOfEntries has the same attributes as groupOfNames only modifies the use of member attribute which is now optional.

edited Oct 07 '21 at 07:24

Community

1

answered Nov 12 '19 at 14:55

Jiří Juřica

29
7

score 1 · Answer 2 · answered Nov 13 '19 at 20:10

An option out of core schema is to use organizationalRole and roleOccupant.

dn: cn={0}core,cn=schema,cn=config
olcAttributeTypes: {29}( 2.5.4.33 NAME 'roleOccupant' DESC 'RFC2256: occupant of role' SUP distinguishedName )
olcObjectClasses: {6}( 2.5.6.8 NAME 'organizationalRole' DESC 'RFC2256: an organizational role' SUP top STRUCTURAL MUST cn MAY ( x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ seeAlso $ roleOccupant $ preferredDeliveryMethod $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ ou $ st $ l $ description ) )

groupOfEntries is likely to be preferred as some software may expect member and not be easily reconfigurable.

Creating POSIX group without members in LDAP

2 Answers2