samba4 and memberOf

Andreas Moroder andreas.moroder at
Tue Jun 9 06:58:43 GMT 2009


according to


While not currently an issue, Samba4 will need to improve it's handling 
of the member/memberOf linked attributes. Handling these with a 
transaction in Samba4 is fine, but if the backend server does not 
support transactions, then the update is presumably racy.

Ideally, these would be calculated in the backend."

I hope I understand the issue right. What is needed is a list of all the 
groups the user is member of as attributes of the user

ldapsearch -x uid=amoroder

dn: uid=amoroder,ou=users,dc=sb-brixen,dc=it
displayName: andreas moroder
sambaSID: S-1-5-21-1446164725-785473342-1796460581-98765
sambaPrimaryGroupSID: S-1-5-21-xxxxx-xxxx-xxxx-12345
uid: amoroder
gidNumber: 41400
memberOf: cn=internet,ou=groups,dc=sb-brixen,dc=it
memberOf: cn=medinfo,ou=groups,dc=sb-brixen,dc=it
memberOf: cn=bx_informatik-techniker,ou=groups,dc=sb-brixen,dc=it
memberOf: cn=admins,ou=groups,dc=sb-brixen,dc=it
memberOf: cn=Print Operators,ou=groups,dc=sb-brixen,dc=it

If this is needed, then I think we have a solution that has no 
consistency problems. We commisioned a company to write a GPLed overlay 
for openldap that returns the attributes creating them dinamicaly from 
the gidNumber and the memberUID attributes of the groups.

The only drawback is, that it is not possible to use this field as a 
e.g. ldapsearch -x memberOf=cn=medinfo,ou=groups,dc=sb-brixen,dc=it
does not work. Probably becaue the filtering happens before the 
attribute is created.

If these is what is needed then I can post the source.


More information about the samba-technical mailing list