#6 Support RFC2307bis memberOf attribute for trusted AD users in Schema Compatibility plugin
Opened 9 years ago by abbra. Modified 7 years ago

For applications that expect RFC2307bis schema, exposing a unified AD+IPA users/groups does not give proper group membership as these applications look for memberOf attribute with full DNs of the members.

Schema Compatibility plugin intentionally exposes only RFC2307 (memberUid attribute) schema. In this schema the value of memberUid is the value of uid attribute, not the full DN of the object containing the uid attribute.

There are problems with enabling RFC2307bis support:
DNs for users must be rewritten to point to user objects within the Schema Compatibility subtree. This means they will be in a separate cn=users subtree which implies tight integration between the configurations. We escaped this issue with RFC2307 as we simply took the uid attribute value and were done with it.
Generating DNs based on memberUid attribute values requires a function that would operate on the resulting object's attribute (memberUid) rather than on the original object's attributes set. This is currently impossible in slapi-nis design.


Login to comment on this ticket.

Metadata