JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Solaris Administration: Naming and Directory Services     Oracle Solaris 11 Information Library
search filter icon
search icon

Document Information


Part I About Naming and Directory Services

1.  Naming and Directory Services (Overview)

2.  Name Service Switch (Overview)

3.  Managing DNS (Tasks)

4.  Setting Up Oracle Solaris Active Directory Clients (Tasks)

Part II NIS Setup and Administration

5.  Network Information Service (Overview)

6.  Setting Up and Configuring NIS (Tasks)

7.  Administering NIS (Tasks)

8.  NIS Troubleshooting

Part III LDAP Naming Services

9.  Introduction to LDAP Naming Services (Overview)

10.  Planning Requirements for LDAP Naming Services (Tasks)

11.  Setting Up Oracle Directory Server Enterprise Edition With LDAP Clients (Tasks)

Configuring Oracle Directory Server Enterprise Edition by Using the idsconfig Command

Creating a Checklist Based on Your Server Installation

Attribute Indexes

Schema Definitions

Using Browsing Indexes

Using Service Search Descriptors to Modify Client Access to Various Services

Setting Up SSDs by Using the idsconfig Command

Running the idsconfig Command

How to Configure Oracle Directory Server Enterprise Edition by Using the idsconfig Command

Example idsconfig Setup

Populating the Directory Server by Using the ldapaddent Command

How to Populate Oracle Directory Server Enterprise Edition With User Password Data by Using the ldapaddent Command

Specifying Group Memberships by Using the Member Attribute

Populating the Directory Server With Additional Profiles

How to Populate the Directory Server With Additional Profiles by Using the ldapclient Command

Configuring the Directory Server to Enable Account Management

For Clients That Use the pam_ldap Module

For Clients That Use the pam_unix_* Modules

12.  Setting Up LDAP Clients (Tasks)

13.  LDAP Troubleshooting (Reference)

14.  LDAP Naming Service (Reference)

15.  Transitioning From NIS to LDAP (Tasks)



Specifying Group Memberships by Using the Member Attribute

The Internet-Draft rfc2307bis specifies that the groupOfMembers object class can also be used as the convenient structural class for the LDAP entries of the group service. Such group entries can then have member attribute values specifying group membership in Distinguished Names (DNs). Oracle Solaris LDAP clients support such group entries and use the member attribute values for group membership resolution.

The LDAP clients also support group entries that use the groupOfUniqueNames object class and the uniqueMember attribute. However, using this object class and attribute is not recommended.

The existing way of defining the group entries with the posixGroup object class and the memberUid attribute is still supported. This type of group entries are still what the ldapaddent command creates when populating the LDAP servers for the group services. It does not add the member attribute to the group entries.

To add group entries with the groupOfMembers object class and member attribute values, use the ldapadd tool and an input file similar to the following:

dn: cn=group1,ou=group,dc=mkg,dc=example,dc=com
objectClass: posixGroup 
objectClass: groupOfNames 
objectClass: top 
cn: group1 
gidNumber: 1234 
member: uid=user1,ou=people,dc=mkg,dc=example,dc=com 
member: uid=user2,ou=people,dc=mkg,dc=example,dc=com 
member: cn=group2,ou=group,dc=mkg,dc=example,dc=com

LDAP clients will handle group entries with a mix of none, any or all of the memberUid, member, and uniqueMember attributes. The membership evaluation result will be that a group has membership that is the union of all three with duplicates removed. That is, if a group entry G has a memberUid value referring to user U1 and U2, a member value referring to user U2, and a uniqueMember value referring to user U3, then group G has three members, U1, U2, and U3. Nested groups are also supported, that is, a member attribute can have values pointing to other groups.

To efficiently evaluate group membership to determine the groups (including the nested ones) that a user is a member of, the memberOf plug-in must be configured and enabled on the LDAP servers. If not, only the containing groups, not nested ones, will be resolved. By default, the memberOf plug-in is enabled by the ODSEE server. If the plug-in is not enabled, use ODSEE's dsconf tool to enable it.