Give Apple Open Directory the member and memberOf attributes.

update_memberUid_to_member

#!/bin/sh
#

LDAPURI="ldapi://%2Fvar%2Frun%2Fldapi"
BASEDN="dc=hdcnet,dc=org"
GROUPDN="cn=groups,$BASEDN"
USERDN="cn=users,$BASEDN"


#
# Check each defined group
#
groups=`ldapsearch -x -H "$LDAPURI" -b "$GROUPDN" objectClass=posixGroup dn | grep "^dn:"`
while read -r gline; do
  gdn=`echo $gline | cut -c4-`

  #
  # Process member values that need to be added.
  #
  members=`ldapsearch -x -H "$LDAPURI" -b "$gdn" memberUid | grep "^memberUid:"`
  while read -r mline; do
    if [ -z "$mline" ]; then continue; fi
    member=`echo $mline | cut -c12-`
    exists=`ldapsearch -x -H "$LDAPURI" -b "$gdn" member="uid=$member,$USERDN" dn | grep "^dn:"`

    #
    # If the user does not exist, add them.
    #
    if [ -z "$exists" ]; then
      ldapmodify -x -H "$LDAPURI" >/dev/null <<__END__
dn: $gdn
changetype: modify
add: member
member: uid=$member,$USERDN
__END__
    fi
  done <<< "$members"

  #
  # Process member values that need to be removed.
  #
  members=`ldapsearch -x -H "$LDAPURI" -b "$gdn" member | grep "^member:"`
  while read -r mline; do
    if [ -z "$mline" ]; then continue; fi
    member=`echo $mline | cut -c9- | cut -f2 -d= | cut -f1 -d,`
    exists=`ldapsearch -x -H "$LDAPURI" -b "$gdn" memberUid="$member" dn | grep "^dn:"`

    #
    # If the memberUid record does not exist, remove the member record.
    #
    if [ -z "$exists" ]; then
      ldapmodify -x -H "$LDAPURI" >/dev/null <<__END__
dn: $gdn
changetype: modify
delete: member
member: uid=$member,$USERDN
__END__
    fi
  done <<< "$members"
done <<< "$groups"


#
# Check each defined user
#
users=`ldapsearch -x -H "$LDAPURI" -b "$USERDN" objectClass=posixAccount dn | grep "^dn:"`
while read -r uline; do
  udn=`echo $uline | cut -c5-`

  #
  # Process memberOf values that need to be removed.
  #
  memberOfs=`ldapsearch -x -H "$LDAPURI" -b "$udn" memberOf | grep "^memberOf:"`
  while read -r mline; do
    if [ -z "$mline" ]; then continue; fi
    gdn=`echo $mline | cut -c11-`
    exists=`ldapsearch -x -H "$LDAPURI" -b "$gdn" member="$udn" dn | grep "^dn:"`

    #
    # If the member attribute does not exist, delete the memberOf.
    #
    if [ -z "$exists" ]; then
      ldapmodify -x -H "$LDAPURI" >/dev/null <<__END__
dn: $udn
changetype: modify
delete: memberOf
memberOf: $gdn
__END__
    fi
  done <<< "$memberOfs"

  #
  # Process memberOf values that need to be added.
  #
  groups=`ldapsearch -x -H "$LDAPURI" -b "$GROUPDN" "(&(objectClass=posixGroup)(member=$udn))" dn | grep "^dn:"`
  while read -r gline; do
    if [ -z "$gline" ]; then continue; fi
    gdn=`echo $gline | cut -c4-`
    exists=`ldapsearch -x -H "$LDAPURI" -b "$udn" memberOf="$gdn" dn | grep "^dn:"`

    #
    # If the record does not exist, add the memberOf record.
    #
    if [ -z "$exists" ]; then
      ldapmodify -x -H "$LDAPURI" >/dev/null <<__END__
dn: $udn
changetype: modify
add: memberOf
memberOf: $gdn
__END__
    fi
  done <<< "$groups"
done <<< "$users"

To use this, place this script on your Apple LDAP server somewhere. Update the first few lines to match your server settings (usually just the BASEDN value). Run the script as root:
sudo ./update_memberUid_to_member.sh

If all goes well you can add this to a cronjob. Depending on the size of your user/group count it may take a while to run. I have about 150 users and 15 groups and it takes 90 seconds on a 2013 Mac Mini server. I have it scheduled to run once every 4 hours.

This 50% works for me so happier than I was this morning :) thanks

.... I"m Running OSX 10.10.3 and sever 4.1

This script creates and populates the 'member' attributes within the LDAP 'groups' records perfectly, but the user records remain unaltered by the script.

Initial I got an error "member attribute unknown" so I swapped the running order to add member attributes first. The script now runs without errors but still does not update the user records with the memberOf values. Anyone have any ideas?