[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Assigning Groups to LDAP users



HI,

Please find the contents as below.

dn: cn=pradyumna,ou=People,dc=example,dc=com
objectClass: person
objectClass: inetOrgPerson
objectClass: posixAccount
cn: pradyumna
uid: pradyumna
sn: dash
structuralObjectClass: inetOrgPerson
entryUUID: c479788c-5b6d-1030-9d75-19f66ff1c84f
creatorsName: cn=manager,dc=example,dc=com
createTimestamp: 20110815093616Z
uidNumber: 507
gidNumber: 100
homeDirectory: /home/pradyumna
loginShell: /bin/bash
userPassword:: e1NTSEF9Q1lrZTVOQTM5ZUppSVlzL1YwbnR2a0pGemQ1ekVxbWQ=
entryCSN: 20110815130355.986136Z#000000#000#000000
modifiersName: cn=Manager,dc=example,dc=com
modifyTimestamp: 20110815130355Z

dn: cn=m3,ou=Group,dc=example,dc=com
objectClass: posixGroup
objectClass: groupOfNames
gidNumber: 100
cn: m3
structuralObjectClass: groupOfNames
entryUUID: 15582474-5b73-1030-9d76-19f66ff1c84f
creatorsName: cn=manager,dc=example,dc=com
createTimestamp: 20110815101419Z
memberUid: pradyumna
member: cn=test,ou=People,dc=example,dc=com
entryCSN: 20110815130141.119665Z#000000#000#000000
modifiersName: cn=manager,dc=example,dc=com
modifyTimestamp: 20110815130141Z

I think this is what you asked for.

Regards,
Neo

On Mon, Aug 15, 2011 at 6:36 PM, Dmitriy Kirhlarov <dimma@higis.ru> wrote:
15.08.2011 17:24, pradyumna dash пишет:

Hi,

I have create 2 groups and modified the ldap.conf file in the client as
below

nss_base_passwd ou=people,dc=example,dc=com?one
nss_base_shadow ou=people,dc=example,dc=com?one
nss_base_group  ou=Group,dc=example,dc=com?one

 From the client when i run getent  i can see my groups and users, but
when i login to a user and try id  it shows me the primary group not the
secondary groups i have added.

Could you, please, show DN of primary and secondary groups and body of this objects (object classes and attributes).

WBR


I am using SLES 11 SP1.

Regards,
Pradyumna

2011/8/15 Dmitriy Kirhlarov <dimma@higis.ru <mailto:dimma@higis.ru>>


   please, keep a list address in the Cc.

   WNBR


   On 08/14/2011 04:20 PM, pradyumna dash wrote:

       Thank you so much.

       I will try it this week and get back to you in case of any issues.

       Thanks for your time.

       Regards,
       Pradyumna

       2011/8/14 Dmitriy Kirhlarov <dimma@higis.ru
       <mailto:dimma@higis.ru> <mailto:dimma@higis.ru
       <mailto:dimma@higis.ru>>>




           On 08/14/2011 03:18 PM, pradyumna dash wrote:

               Hi,

               Thank you so much.  I have never worked a lot on nss_ldap so
               asking some
               basic questions.

               As per you said you guys are running the same in your env.

               ldap:
               personals user groups:
               ou=groups,o=company
               first project groups:
               cn=group1,ou=project1,o=______company
               cn=group2,ou=project1,o=______company

               -- Do i need to create separate OU's for different groups?


           Up to you.

           You need some "separator" between projects. It can be branch
       in the
           tree, or scope "base" in filter configuration from
       nss_ldap.conf file.

           We are prefer branches. It's more readable, when you have many
           groups and many projects.


               second project groups:
               cn=group1,ou=project2,o=______company
               cn=group2,ou=project2,o=______company
               -- How i can specify the users who are a part of which
       group?


           cn=group1,ou=project1,o=____company
           objectClass: posixGroup
           cn: group1
           gidNumber: 1000
           description: project1 admin group
           memberUid: user1
           memberUid: user2
           memberUid: user3


       "Server1" nss_ldap.conf:
               nss_base_group          ou=groups,o=company?sub
               nss_base_group          ou=project1,o=company?one
               --The syntax in the conf file will be like above ??
       Because i
               have never
               used ?sub and ?one


           It's URI (http://en.wikipedia.org/wiki/____URI_scheme
       <http://en.wikipedia.org/wiki/__URI_scheme>
       <http://en.wikipedia.org/wiki/__URI_scheme
       <http://en.wikipedia.org/wiki/URI_scheme>>) syntax.
           You should to write second part of URI (after connection
           description) with base, scope and filter.


       "Server2" nss_ldap.conf:
               nss_base_group          ou=groups,o=company?sub
               nss_base_group          ou=project2,o=company?one

               Also if you can help, am trying "pwdReset" for my ldap
       users, in the
               ppolicy.schema file i have uncommented this attribute
       but not
               able to
               load the schema, if you can give me some pointers would be
               appreciated.
                 What i want is when firsttime any user logs in he will
       asked
               to change
               his password.


           1. try to start slapd with "-d config"
           2. take a look to
       http://www.zytrax.com/books/____ldap/ch6/ppolicy.html
       <http://www.zytrax.com/books/__ldap/ch6/ppolicy.html>
       <http://www.zytrax.com/books/__ldap/ch6/ppolicy.html
       <http://www.zytrax.com/books/ldap/ch6/ppolicy.html>>

           WBR


               Regards,
               Neo

               I am not a expert in OpenLDAP so please help me.
               2011/8/14 Dmitriy Kirhlarov <dimma@higis.ru
       <mailto:dimma@higis.ru>
       <mailto:dimma@higis.ru <mailto:dimma@higis.ru>>
       <mailto:dimma@higis.ru <mailto:dimma@higis.ru>

       <mailto:dimma@higis.ru <mailto:dimma@higis.ru>>>>



                   Hi.


                   On 08/12/2011 07:40 PM, Buchan Milne wrote:

                       On Wednesday, 10 August 2011 10:11:17 pradyumna
       dash wrote:

                           Guys,

                           I have a query, lets take a scenario :

                           Assume we have 2 servers "Server1" and
       "Server2" and 2
                           groups "Admin" and
       "ITTech", What is needed is like say when a user "bob" logging
                           in to "Server1" he will get the group
       "Admin", but
               when he
                           logs in to
       "Server2" he will get group "ITTech".  Also it may vary for
                           different users
                           like when "Kris" logs in to Server1 he may
       get a group
                           called "ITTech" and
                           when he logs in to "Server2"  he will get
       some other
               group
                           say "Security".
                           Can it be possible by OpenLDAP ?


                       IMHO, this is a bad idea. It will specifically be
               problematic if
                       you have any
                       files shared/replicated/backed up between
       servers (e.g.
               via NFS).


                   We are using this functionality without any problems. :)
                   This is feature of nss_ldap.

                   ldap:
                   personals user groups:
                   ou=groups,o=company

                   first project groups:
                   cn=group1,ou=project1,o=______company
                   cn=group2,ou=project1,o=______company

                   second project groups:
                   cn=group1,ou=project2,o=______company
                   cn=group2,ou=project2,o=______company

       "Server1" nss_ldap.conf:
                   nss_base_group          ou=groups,o=company?sub
                   nss_base_group          ou=project1,o=company?one

       "Server2" nss_ldap.conf:
                   nss_base_group          ou=groups,o=company?sub
                   nss_base_group          ou=project2,o=company?one


                   WBR


                           If this is achieved then we are planning
                           to have SUDO files based on the grooups.


                       It would be much more effective to have your
       sudo rules
               in LDAP,
                       and apply a
                       rule to a set of users/groups to a
       collection/netgroup
               of hosts.

                       Regards,
                       Buchan