How to use posixGroups with OpenIDM ?

[thechado]

Hello,

Context :
When a group is assigned to a user via a role, the uniqueMember attribute is added.
Goal :
I would like to use posixGroups and therefore have the memberUid attribute updated instead of uniqueMember.
I am using OpenDJ.
(I changed posixGroup to structural on OpenDJ (in 04-rfc2307bis.ldif) ).

I have tried several ways but it's not successful.
Can you help me ?
Thank you.

[vharseko]

maintainPosixGroupMembership
If true, OpenIDM modifies POSIX group membership when entries are renamed or deleted.

[thechado]

Thank you for your answer.

In the connector.json file, I enabled the maintainPosixGroupMembership option.
However, when I add a member to a group, the uniqueMember attribute is added but not memberUid.
I suppose it does not recognise my group as a posixGroup.

I probably have an error in my configuration, but I still can't find it.

[thechado]

Are there any other parameters to consider for OpenIDM to recognise the posix group ?

[vharseko]

please check

• groupMemberAttribute
• groupObjectClasses
• groupNameAttributes

[vharseko]

How to Use posixGroups with OpenIDM and OpenDJ

The Problem

By default, OpenIDM's LDAP connector is configured to manage group membership using the
groupOfUniqueNames object class, which stores members via the uniqueMember attribute
(containing full DNs). When a role is assigned to a user, the connector writes that user's
DN into uniqueMember on the target group entry.

The posixGroup object class works differently:

• It uses memberUid to store membership — containing only the plain uid value (not a full DN).
• It requires a gidNumber attribute on the group entry.
• Members are identified by uid string, not by their distinguished name.

Because of this fundamental schema difference, simply changing the objectClass in OpenDJ
is not enough — the connector configuration must also be updated to match.

---

Required Changes

1. OpenDJ — Group Entry Schema

Your group entries in OpenDJ must use posixGroup as the structural objectClass.
You have already done this by modifying 04-rfc2307bis.ldif.

A valid posixGroup LDIF entry looks like this:

dn: cn=mygroup,ou=Groups,dc=example,dc=com
objectClass: top
objectClass: posixGroup
cn: mygroup
gidNumber: 5000

Important: posixGroup does not use uniqueMember. It uses memberUid,
which holds a plain uid string (e.g. jdoe), not a full DN.

---

2. provisioner.openicf-ldap.json — Three Changes

Change 1: groupMemberAttribute — line 52

Tell the connector to use memberUid instead of uniqueMember for group membership.

- "groupMemberAttribute" : "uniqueMember",
+ "groupMemberAttribute" : "memberUid",

Change 2: maintainPosixGroupMembership — line 40

Enable POSIX group membership maintenance so the connector correctly handles
memberUid updates when users are renamed or deleted.

- "maintainPosixGroupMembership" : false,
+ "maintainPosixGroupMembership" : true,

Change 3: uidAttribute — line 56

This is the most critical change. The memberUid attribute stores a plain uid string,
not a DN. The uidAttribute tells the connector what value to write into memberUid
when adding a user to a group. If left as "dn", the connector will write the full DN
(e.g. uid=jdoe,ou=People,dc=example,dc=com) into memberUid, which is invalid for
posixGroup and will break POSIX resolution on the OS level.

- "uidAttribute" : "dn",
+ "uidAttribute" : "uid",

Note: Changing uidAttribute from "dn" to "uid" also changes how OpenIDM
identifies account objects internally. Make sure your sync mappings and queries
use uid as the identifier, not the full DN. If you have existing data or mappings
that rely on dn as the _id, review them carefully before applying this change
in production.

---

3. objectTypes.group — Replace uniqueMember with memberUid

The group objectType schema in the provisioner defines which LDAP attributes are
mapped. Replace the uniqueMember property with memberUid:

- "uniqueMember" : {
-     "type" : "array",
-     "items" : {
-         "type" : "string",
-         "nativeType" : "string"
-     },
-     "nativeName" : "uniqueMember",
-     "nativeType" : "string"
- },
+ "memberUid" : {
+     "type" : "array",
+     "items" : {
+         "type" : "string",
+         "nativeType" : "string"
+     },
+     "nativeName" : "memberUid",
+     "nativeType" : "string"
+ },

You may also want to add the gidNumber attribute, which is required by posixGroup:

"gidNumber" : {
    "type" : "string",
    "nativeName" : "gidNumber",
    "nativeType" : "string",
    "required" : true
},

---

Summary of All Changes

Location	Property	Old Value	New Value
configurationProperties	groupMemberAttribute	"uniqueMember"	"memberUid"
configurationProperties	maintainPosixGroupMembership	false	true
configurationProperties	uidAttribute	"dn"	"uid"
objectTypes.group.properties	group member field	uniqueMember block	memberUid block

---

Role Assignment — No Changes Needed

The role → assignment → ldapGroups mechanism works the same way.
In your assignment, you still reference the group by its DN:

{
    "name": "ldapGroups",
    "value": [
        "cn=mygroup,ou=Groups,dc=example,dc=com"
    ],
    "assignmentOperation": "mergeWithTarget",
    "unassignmentOperation": "removeFromTarget"
}

OpenIDM resolves the group entry by DN and then writes the user's uid value
into that group's memberUid attribute — provided all three connector properties
above are correctly set.

---

Verification

After applying the changes, trigger a sync and verify in OpenDJ:

ldapsearch \
  --port 1389 \
  --hostname localhost \
  --baseDN "dc=example,dc=com" \
  --bindDN "cn=Directory Manager" \
  --bindPassword password \
  --searchScope sub \
  "(cn=mygroup)" dn cn memberUid

Expected output:

dn: cn=mygroup,ou=Groups,dc=example,dc=com
cn: mygroup
memberUid: jdoe
memberUid: bjensen