[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Assigning Groups to LDAP users



15.08.2011 17:24, pradyumna dash ÐÐÑÐÑ:
Hi,

I have create 2 groups and modified the ldap.conf file in the client as
below

nss_base_passwd ou=people,dc=example,dc=com?one
nss_base_shadow ou=people,dc=example,dc=com?one
nss_base_group  ou=Group,dc=example,dc=com?one

 From the client when i run getent  i can see my groups and users, but
when i login to a user and try id  it shows me the primary group not the
secondary groups i have added.

Could you, please, show DN of primary and secondary groups and body of this objects (object classes and attributes).

WBR


I am using SLES 11 SP1.

Regards,
Pradyumna

2011/8/15 Dmitriy Kirhlarov <dimma@higis.ru <mailto:dimma@higis.ru>>

    please, keep a list address in the Cc.

    WNBR


    On 08/14/2011 04:20 PM, pradyumna dash wrote:

        Thank you so much.

        I will try it this week and get back to you in case of any issues.

        Thanks for your time.

        Regards,
        Pradyumna

        2011/8/14 Dmitriy Kirhlarov <dimma@higis.ru
        <mailto:dimma@higis.ru> <mailto:dimma@higis.ru
        <mailto:dimma@higis.ru>>>




            On 08/14/2011 03:18 PM, pradyumna dash wrote:

                Hi,

                Thank you so much.  I have never worked a lot on nss_ldap so
                asking some
                basic questions.

                As per you said you guys are running the same in your env.

                ldap:
                personals user groups:
                ou=groups,o=company
                first project groups:
                cn=group1,ou=project1,o=______company
                cn=group2,ou=project1,o=______company

                -- Do i need to create separate OU's for different groups?


            Up to you.

            You need some "separator" between projects. It can be branch
        in the
            tree, or scope "base" in filter configuration from
        nss_ldap.conf file.

            We are prefer branches. It's more readable, when you have many
            groups and many projects.


                second project groups:
                cn=group1,ou=project2,o=______company
                cn=group2,ou=project2,o=______company
                -- How i can specify the users who are a part of which
        group?


            cn=group1,ou=project1,o=____company
            objectClass: posixGroup
            cn: group1
            gidNumber: 1000
            description: project1 admin group
            memberUid: user1
            memberUid: user2
            memberUid: user3


        "Server1" nss_ldap.conf:
                nss_base_group          ou=groups,o=company?sub
                nss_base_group          ou=project1,o=company?one
                --The syntax in the conf file will be like above ??
        Because i
                have never
                used ?sub and ?one


            It's URI (http://en.wikipedia.org/wiki/____URI_scheme
        <http://en.wikipedia.org/wiki/__URI_scheme>
        <http://en.wikipedia.org/wiki/__URI_scheme
        <http://en.wikipedia.org/wiki/URI_scheme>>) syntax.
            You should to write second part of URI (after connection
            description) with base, scope and filter.


        "Server2" nss_ldap.conf:
                nss_base_group          ou=groups,o=company?sub
                nss_base_group          ou=project2,o=company?one

                Also if you can help, am trying "pwdReset" for my ldap
        users, in the
                ppolicy.schema file i have uncommented this attribute
        but not
                able to
                load the schema, if you can give me some pointers would be
                appreciated.
                  What i want is when firsttime any user logs in he will
        asked
                to change
                his password.


            1. try to start slapd with "-d config"
            2. take a look to
        http://www.zytrax.com/books/____ldap/ch6/ppolicy.html
        <http://www.zytrax.com/books/__ldap/ch6/ppolicy.html>
        <http://www.zytrax.com/books/__ldap/ch6/ppolicy.html
        <http://www.zytrax.com/books/ldap/ch6/ppolicy.html>>

            WBR


                Regards,
                Neo

                I am not a expert in OpenLDAP so please help me.
                2011/8/14 Dmitriy Kirhlarov <dimma@higis.ru
        <mailto:dimma@higis.ru>
        <mailto:dimma@higis.ru <mailto:dimma@higis.ru>>
        <mailto:dimma@higis.ru <mailto:dimma@higis.ru>

        <mailto:dimma@higis.ru <mailto:dimma@higis.ru>>>>


                    Hi.


                    On 08/12/2011 07:40 PM, Buchan Milne wrote:

                        On Wednesday, 10 August 2011 10:11:17 pradyumna
        dash wrote:

                            Guys,

                            I have a query, lets take a scenario :

                            Assume we have 2 servers "Server1" and
        "Server2" and 2
                            groups "Admin" and
        "ITTech", What is needed is like say when a user "bob" logging
                            in to "Server1" he will get the group
        "Admin", but
                when he
                            logs in to
        "Server2" he will get group "ITTech".  Also it may vary for
                            different users
                            like when "Kris" logs in to Server1 he may
        get a group
                            called "ITTech" and
                            when he logs in to "Server2"  he will get
        some other
                group
                            say "Security".
                            Can it be possible by OpenLDAP ?


                        IMHO, this is a bad idea. It will specifically be
                problematic if
                        you have any
                        files shared/replicated/backed up between
        servers (e.g.
                via NFS).


                    We are using this functionality without any problems. :)
                    This is feature of nss_ldap.

                    ldap:
                    personals user groups:
                    ou=groups,o=company

                    first project groups:
                    cn=group1,ou=project1,o=______company
                    cn=group2,ou=project1,o=______company

                    second project groups:
                    cn=group1,ou=project2,o=______company
                    cn=group2,ou=project2,o=______company

        "Server1" nss_ldap.conf:
                    nss_base_group          ou=groups,o=company?sub
                    nss_base_group          ou=project1,o=company?one

        "Server2" nss_ldap.conf:
                    nss_base_group          ou=groups,o=company?sub
                    nss_base_group          ou=project2,o=company?one


                    WBR


                            If this is achieved then we are planning
                            to have SUDO files based on the grooups.


                        It would be much more effective to have your
        sudo rules
                in LDAP,
                        and apply a
                        rule to a set of users/groups to a
        collection/netgroup
                of hosts.

                        Regards,
                        Buchan