[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Dynamic posixGroup, dynlist overlay
Hi,
I'm trying to use dynlist overlay as dynamic group container.
system config:
OS: debian lenny
slapd: 2.4.11-1
slapd.conf
[...]
moduleload dynlist
overlay dynlist
dynlist-attrset groupOfNames labeledURI member
When I do a search like:
ldapsearch -x cn=ssh_admin I get:
# extended LDIF
#
# LDAPv3
# base <dc=domain,dc=com> (default) with scope subtree
# filter: cn=ssh_admin
# requesting: ALL
#
# ssh_admin, Server, domain.com dn:
cn=ssh_admin,ou=Server,dc=domain,dc=com
objectClass: groupOfNames
objectClass: labeledURIObject
objectClass: top
objectClass: posixGroup
cn: ssh_admin
member: uid=user1,ou=People,dc=domain,dc=com
member: uid=user2,ou=People,dc=domain,dc=com
labeledURI:ldap:///ou=People,dc=domain,dc=com??sub?(&(objectClass=posixAccount))
gidNumber: 30000
user1 is added manually, since at least one member attribute is required
by groupOfNames (posixGroup is an auxiliary type)
And such a request:
ldapsearch -x "(member=uid=user1,ou=People,dc=domain,dc=com)"
results in:
# extended LDIF
#
# LDAPv3
# base <dc=domain,dc=com> (default) with scope subtree
# filter: (member=uid=user1,ou=People,dc=domain,dc=com)
# requesting: ALL
#
# ssh_admin, Server, domain.com dn:
cn=ssh_admin,ou=Server,dc=domain,dc=com
objectClass: groupOfNames
objectClass: labeledURIObject
objectClass: top
objectClass: posixGroup
cn: ssh_admin
member: uid=user1,ou=People,dc=domain,dc=com
member: uid=user2,ou=People,dc=domain,dc=com
labeledURI:ldap:///ou=People,dc=domain,dc=com??sub?(&(objectClass=posixAccount))
gidNumber: 30000
BUT with this one, which is a search done by a linux system when, e.g.
doing id user2:
ldapsearch -x "(member=uid=user2,ou=People,dc=domain,dc=com)"
I get:
# extended LDIF
#
# LDAPv3
# base <dc=domain,dc=com> (default) with scope subtree
# filter: (member=uid=user2,ou=People,dc=domain,dc=com)
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
My question is: how to make use of dynlist to get it working with a
linux system, to automate group assignments. Or is there another way to
do it?
The goal is to have a dynamic posixGroups generated upon some specified
filters, as shown in the example, to manage the authorization to a
service (for instance sshd).
Thanks for any suggestions and help.
--
Wiktor Warmus