Speedy,
Thanks for responding.
Unfortunately I don’t have AD, I’m running ClearOS which is using OpenLDAP. I’m thinking the key issue I have here is AD has the memberOf field that tags users as to what groups they are in. In OpenLDAP there doesn’t seem to be such a thing.
When I do an ldapsearch on the user list, no group information comes back. So there is nothing keeping users synced with groups. If I want to know what group a user is in, it looks like I have to query every group to see if they are there…unless someone can explain to me otherwise. Again, I’m barely a beginner in LDAP, this is just what I’ve observed at this point.
Here’s what I see in an ldapsearch on a single test user, only specifying the top level as the base DN:
Joe Bob, test, Users, Accounts, mydomain.com
dn: cn=Joe Bob,ou=Users,ou=Accounts,dc=mydomain,dc=com
uidNumber: 1014
gidNumber: 63000
loginShell: /sbin/nologin
kolabHomeServer: system.clearos.lan
kolabInvitationPolicy: ACT_MANUAL
homeDirectory: /home/joe.bob
pcnWebconfigFlag: TRUE
givenName: Joe
sn: Bob
street:
l:
st:
c:
postalCode:
o:
ou:
pcnFTPFlag: FALSE
pcnMailFlag: FALSE
pcnGoogleAppsFlag: FALSE
pcnOpenVPNFlag: FALSE
pcnPPTPFlag: FALSE
pcnWebFlag: FALSE
pcnProxyFlag: FALSE
uid: joe.bob
cn: Joe Bob
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: kolabInetOrgPerson
objectClass: hordePerson
objectClass: pcnAccount
objectClass: pcnWebconfigAccount
objectClass: pcnFTPAccount
objectClass: pcnMailAccount
objectClass: pcnGoogleAppsAccount
objectClass: pcnOpenVPNAccount
objectClass: pcnPPTPAccount
objectClass: pcnWebAccount
objectClass: pcnProxyAccount
userPassword::
pcnSHAPassword:
pcnMicrosoftNTPassword:
pcnMicrosoftLanmanPassword:
pcnFTPPassword:
pcnMailPassword:
pcnGoogleAppsPassword:
pcnOpenVPNPassword:
pcnPPTPPassword:
pcnProxyPassword:
pcnWebconfigPassword:
pcnWebPassword:
What also has me thinking this is this post: http://www.clearfoundation.com/component/option,com_kunena/Itemid,232/catid,10/f unc,view/id,27/limit,10/limitstart,20/
He shows an AD record and a ClearOS LDAP record. Sure enough, memberOf is in AD, not LDAP. I’ve got a post in the ClearOS forum trying to find out if there’s a way to add that functionality in or simulate it somehow. Otherwise I was hoping someone here had done this in a plain LDAP environment, no AD.
Right now the only thing I can think of is to bury the chat users in one OU and the system stuff in another. The problem is it adds complexity to the user creation process. ClearOS has a simple web page for adding users which automatically creates them in the Users OU. I’d then have to move/copy them into the chat OU, vs if it’s just a group, I can select their participation in that from the web GUI. Much simpler.
Edit: Okay I just found this: http://www.openldap.org/software/man.cgi?query=slapo-memberof&sektion=5&apropos= 0&manpath=OpenLDAP+2.4-Release
I’m trying that now to see if it works.