I've seen similar questions related to configuring Apache to authenticate via LDAP, but this basic question still has me confused.
In my setup, I created users who all have the same primary GID, then I added users to various (supplementary/secondary) groups. I have tested these user accounts, and in most situations everything works fine - my permissions based on supplementary group membership is working. I used the smbldap-tools package to configure my users and groups, and specifically I used smbldap-usermod -G +NEW_GROUP user to add users to the supplementary groups.
If I do getent group I see those supplementary groups and their members. Good.
If I look at the LDAP entry for one of the supplementary groups, I see all the users listed just as expected.
However, when I look at each user's LDAP entry, only a gidNumber corresponding to the primary group is listed. That is, the LDAP entries for each user only list the primary group, and have no mention of secondary groups.
How does Samba/LDAP (using smbldap-tools) handle supplementary/secondary groups?
Further, how could I form a search filter to identify members of a supplementary group?
LDAP is just a directory of information. How that information gets stored and retrieved is up to the application. In this case, posix users and groups are modeled after the /etc/passwd and /etc/group files. Each user entry lists the gid for its primary group. Each group lists all of its members(usually less the ones listing it as their primary group).
Samba and the various nss plugins to store user and group info in LDAP all do a search to find the groups a user is a member of at log in. The memberUid attribute should be indexed to make group membership searches fast. For a given user account, the search filter is something like:
If you wanted to see the users in a particular group, you could search with:
This assumes that all of your groups are of the posixGroup objectClass.
I'm not a big OpenLDAP user, but if this were an Active Directory environment I'd use the "memberOf" attribute present in each user account object. In the OpenLDAP world, it looks like the memberOf overlay will do what you're looking for. I suspect this question will tell you what you need to know to get this going.