LDAP : posixGroup vs groupOfNames ?

[François Van Der Biest]

Hi list,

geOrchestra currently ships with a default LDAP setup having groups which are objectClass: posixGroup. This kind of objects references users via the memberUid property (storing, guess what ... uids).

In the near future, we might have to change the groups' class in favor of objectClass: groupOfNames.

We are indeed currently facing difficulties configuring Pydio to map LDAP groups to pydio "roles", as explained here: http://pyd.io/groups-and-roles-with-ldapad-integration-draft/. Pydio expects users to have the memberOf property linking to the appropriate groups.

In addition, several people already reported that they prefer having full DN stored in the member property of groupOfNames-typed groups, see for instance below:

On 09/03/13 :

14:29 < gaston> fvanderbiest: lié a ca : https://github.com/georchestra/LDAP/commit/ec3db48531e591f07288387de9e9d00e8a1372d0

14:29 < gaston> si jamais un jour t'a plus de trucs qui se lient au ldap

14:29 < gaston> je viens de me rendre compte que c'est mieux d'avoir les full DN

14:29 < gaston> p.ex l'overlay memberOf d'openldap il marche qu'avec des DN

14:30 < gaston> j'avais fait pareil dans mon ldap y'a qqs mois.. et

maintenant je m'en mords les doigts et je repasse d'un posixGroup avec

des memberUid a un groupOfNames contenant des member (avec des DN)

This would require to change geOrchestra in several places:

 - security proxy config

 - cas config

 - ldapadmin code & config

 - geonetwork config

.. and of course would impact all current instances wishing to migrate.

I'd like to perform this change for the soon-to-be-released-13.12-version

Any cons ?

Thanks,

F.

--
Camptocamp France SAS, Chambéry
http://www.camptocamp.com/fr/geospatial-solutions