#21 rfc2307bis - support for group members specified by DN

[Jonny Anon]

rfc2307bis states "Group members may either be login
names (values of memberUid) or distinguished names
(values of uniqueMember)." Nss_ldap supports group
members being defined by the uniqueMember attribute
when the nss_map_attribute option in ldap.conf is set
to uniqueMember.

Using a Group entry that utilizes the posixGroup and
groupOfUniqueNames object classes has added benefits
when the uniqueMember attribute is used to define group
members. Since uniqueMember refers to the DN of the
user, the group entry can be used in slapd ACLs , which
is useful for setting up LDAP directory administrators.
Also, the group entry can then be used for host-based
login authorization through the use of the pam_groupdn
and pam_member_attribute options in the ldap.conf file.

I propose that you include an option to use
uniqueMember as an alternative to memberUid when
defining the members of a group. The only gotcha that
I see is that the schema definition for
groupOfUniqueNames requires that the uniqueMember
attribute must be used when creating the group entry.
This can be overcome by defining a place-holder entry
(uniqueMember: cn=cpu_foo,ou=People,dc=example,dc=com)
when a group is created initially by the cpu groupadd
command.

I hope that my request is clear and I did not rant too
much. :-)

Jon