Re: [nssldap] nss_map_attribute gidNumber problem
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: [nssldap] nss_map_attribute gidNumber problem
- From: Howard Chu <hyc [at] highlandsun.com>
- To: watts [at] jayhawks.net
- Cc: Jeffrey Watts <jeffrey.w.watts [at] gmail.com>, Liam Gretton <liam.gretton [at] leicester.ac.uk>, nssldap [at] padl.com
- Subject: Re: [nssldap] nss_map_attribute gidNumber problem
- Date: Thu, 11 Feb 2010 12:55:40 -0800
Jeffrey Watts wrote:
Thanks for linking to that, that seems very useful. However, in this
circumstance, will that address his problem with gidNumber?
It seems to me that while that would allow people like Liam to have a
standardized format for the LDAP attributes he's using, how would someone like
him be able to configure NSS-LDAP to map, say, gidNumber;host-foobar to
gidNumber for users, but map gidNumber itself to groups?
The point of using attribute options is that the base attribute type remains
the same, and therefore doesn't need to be mapped at all. Mapping is a poor
solution to this problem, so remove mapping from the equation.
Jeffrey.
On Thu, Feb 11, 2010 at 2:03 PM, Howard Chu <hyc@highlandsun.com
<hyc [at] highlandsun.com>> wrote:
Jeffrey Watts wrote:
Unix groups also have a gidNumber. What I suspect is happening is
that when
you map gidNumber to gidNumberSYS1, the LDAP groups do not have that
attribute
defined and thus gidNumber gets mapped by default to cn.
I'm not sure if there's a way to add filter options to
nss_map_attribute much
like you can with nss_base_group. For example, it'd be nice to be
able to do
something like:
nss_map_attribute gidNumber gidNumberSYS1 &(objectcategory=user)
Basically: <attribute> <value> <filter>
If the functionality doesn't exist it might be a good thing to suggest
for a
future version.
Please see section 2.2.2 Attribute Option in the latest draft of RFC2307bis.
http://tools.ietf.org/draft/draft-howard-rfc2307bis/draft-howard-rfc2307bis-02.txt
--
"He that would make his own liberty secure must guard even his enemy from
oppression; for if he violates this duty he establishes a precedent that will
reach to himself." -- Thomas Paine
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/