Go to main content

Working With Oracle® Solaris 11.3 Directory and Naming Services: LDAP

Exit Print View

Updated: September 2018

Specifying Group Memberships by Using the Member Attribute

The RFC draft rfc2307bis specifies that you can use the groupOfMembers object class as the convenient structural class for the LDAP entries of the group service. Group entries can then have member attribute values specifying group membership in distinguished names (DNs). Oracle Solaris LDAP clients support such group entries and use the member attribute values for group membership resolution.

Although the LDAP clients also support group entries that use the groupOfUniqueNames object class and the uniqueMember attribute, do not use this object class and attribute.

You can use the posixGroup object class and the memberUid attribute to define the LDAP clients support group entries. The ldapaddent command creates this type of group entries when populating the LDAP servers for the group services. It does not add the member attribute to the group entries.

To add group entries with the groupOfMembers object class and member attribute values, use the ldapadd tool and an input file similar to the following example:

dn: cn=group1,ou=group,dc=mkg,dc=example,dc=com
objectClass: posixGroup
objectClass: groupOfNames
objectClass: top
cn: group1
gidNumber: 1234
member: uid=user1,ou=people,dc=mkg,dc=example,dc=com
member: uid=user2,ou=people,dc=mkg,dc=example,dc=com
member: cn=group2,ou=group,dc=mkg,dc=example,dc=com

LDAP clients manage group entries with a mix of none, any, or all of the memberUid, member, and uniqueMember attributes. The membership evaluation results in a group that is the union of all three member attributes with duplicates removed. That is, if a group entry G has a memberUid value referring to user U1 and U2, a member value referring to user U2, and a uniqueMember value referring to user U3, then group G has three members, U1, U2, and U3. A member attribute can have values pointing to other groups, resulting in nested groups.

To efficiently evaluate group membership to determine the groups that a user is a member of, including the nested ones, you must configure and enable the memberOf plug-in on the LDAP servers. Otherwise, only the containing groups, not the nested ones, will be resolved. By default, the memberOf plug-in is enabled by ODSEE. If the memberOf plug-in is not enabled, use ODSEE dsconf tool to enable it.