Hi all, I want to thank you all for taking the time to give me the information I needed. I was able to get going in the right direction afterwards. In the end, the solutuion was to move the ldif files, enable the plug-in, run the fix-up, add objectclass, inetuser and add attribute memberof to each class. At the time when I got it to work, my understanding was still missing since, my interpretation was that after running the fix up, the query would work, but this was not the case. After working with it a bit more over the week and adding another group, I think I have been able to piece together why I had problems. Mark, I did not fully understand what you mentioned until I saw it working. A few more questions are raised based on what I see. My understanding at this point is that the instructions did not work right off the bat because our groups are not using a consistent objectclass and attribute convention. Some groups have objectclass, groupofuniquenames and memberuid with no DN only memberUID. Others have groupofnames with member and full DN. These seem to be the ones that work correctly. When I added a user to the group that has objectclass, groupofnames and member attribute, the user entry automatically populates memberOf with the full DN listed. After I made the updates to that group and user entries for reflect groupofnames and member, I was able to run the filter query without any problems. At his point, I'm thinking it would be best to add the groupofnames objectclass and member attribute to the other groups to ensure everything operates in a similar way. Fortunately this is part of a new envrionment (with imported data) so I have the luxury of bringing each application in one by one over a period of time. Is there a possibility to that I would run into any problems with that plan? Am I correct in thinking that the schema should have added the objectclass and attributes automatically? If so, I was going to spend some time looking into that. It looks like my understanding would greatly increased by reading more of the documentation. I've noticed that there are at least a few RFC's which define the proper behaviour, so I'll be reading those next. William, thank you for your input as well! Your statement about the LDAP community not implmenting groups properly make me wonder, what is the point of contention why it would not function correctly out of the box? Is their disagreement about how RFC standards are to be implmented? This whole thing just seems kinda unusual to me. I see your point about it working right off in my case. I think the issue was that for whatever reason, DN was not used but the memberUID. I don't know if you all would have any information about this but is there a standard/popular self service UI that is recommended for users to manage their passwords? Thanks again! -Saul _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
