The RFC draft rfc2307bis specifies that the groupOfMembers object class can also be used as the convenient structural class for the LDAP entries of the group service. Group entries can then have member attribute values specifying group membership in distinguished names (DNs). Oracle Solaris LDAP clients support such group entries and use the member attribute values for group membership resolution.
The LDAP clients also support group entries that use the groupOfUniqueNames object class and the uniqueMember attribute. However, using this object class and attribute is not recommended.
The existing way of defining the group entries with the posixGroup object class and the memberUid attribute is still supported. This type of group entries are still what the ldapaddent command creates when populating the LDAP servers for the group services. It does not add the member attribute to the group entries.
To add group entries with the groupOfMembers object class and member attribute values, use the ldapadd tool and an input file similar to the following:
dn: cn=group1,ou=group,dc=mkg,dc=example,dc=com objectClass: posixGroup objectClass: groupOfNames objectClass: top cn: group1 gidNumber: 1234 member: uid=user1,ou=people,dc=mkg,dc=example,dc=com member: uid=user2,ou=people,dc=mkg,dc=example,dc=com member: cn=group2,ou=group,dc=mkg,dc=example,dc=com
LDAP clients will handle group entries with a mix of none, any, or all of the memberUid, member, and uniqueMember attributes. The membership evaluation result will be that a group has membership that is the union of all three with duplicates removed. That is, if a group entry G has a memberUid value referring to user U1 and U2, a member value referring to user U2, and a uniqueMember value referring to user U3, then group G has three members, U1, U2, and U3. Nested groups are also supported, that is, a member attribute can have values pointing to other groups.
To efficiently evaluate group membership to determine the groups (including the nested ones) that a user is a member of, the memberOf plug-in must be configured and enabled on the LDAP servers. If not, only the containing groups, not nested ones, will be resolved. By default, the memberOf plug-in is enabled by the ODSEE server. If the plug-in is not enabled, use ODSEE's dsconf tool to enable it.