[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Assigning Groups to LDAP users



Hi.

16.08.2011 11:27, pradyumna dash пишет:
dn: cn=pradyumna,ou=People,dc=example,dc=com

It's Ok.

dn: cn=m3,ou=Group,dc=example,dc=com
objectClass: posixGroup
objectClass: groupOfNames
gidNumber: 100
cn: m3
memberUid: pradyumna
member: cn=test,ou=People,dc=example,dc=com

1. This is something strange.
For me, it should be
dn: cn=m3,ou=Group,dc=example,dc=com
objectClass: posixGroup
gidNumber: 100
cn: m3
memberUid: pradyumna
memberUid: test

2. Anyway, this is only one group (one object). Where is second group from your previous message: "when i login to a user and try id it shows me the primary group not the secondary groups i have added."
?

WBR


I think this is what you asked for.

Regards,
Neo

On Mon, Aug 15, 2011 at 6:36 PM, Dmitriy Kirhlarov <dimma@higis.ru
<mailto:dimma@higis.ru>> wrote:

    15.08.2011 17:24, pradyumna dash пишет:

        Hi,

        I have create 2 groups and modified the ldap.conf file in the
        client as
        below

        nss_base_passwd ou=people,dc=example,dc=com?__one
        nss_base_shadow ou=people,dc=example,dc=com?__one
        nss_base_group  ou=Group,dc=example,dc=com?one

          From the client when i run getent  i can see my groups and
        users, but
        when i login to a user and try id  it shows me the primary group
        not the
        secondary groups i have added.


    Could you, please, show DN of primary and secondary groups and body
    of this objects (object classes and attributes).

    WBR


        I am using SLES 11 SP1.

        Regards,
        Pradyumna

        2011/8/15 Dmitriy Kirhlarov <dimma@higis.ru
        <mailto:dimma@higis.ru> <mailto:dimma@higis.ru
        <mailto:dimma@higis.ru>>>


            please, keep a list address in the Cc.

            WNBR


            On 08/14/2011 04:20 PM, pradyumna dash wrote:

                Thank you so much.

                I will try it this week and get back to you in case of
        any issues.

                Thanks for your time.

                Regards,
                Pradyumna

                2011/8/14 Dmitriy Kirhlarov <dimma@higis.ru
        <mailto:dimma@higis.ru>
        <mailto:dimma@higis.ru <mailto:dimma@higis.ru>>
        <mailto:dimma@higis.ru <mailto:dimma@higis.ru>
        <mailto:dimma@higis.ru <mailto:dimma@higis.ru>>>>




                    On 08/14/2011 03:18 PM, pradyumna dash wrote:

                        Hi,

                        Thank you so much.  I have never worked a lot on
        nss_ldap so
                        asking some
                        basic questions.

                        As per you said you guys are running the same in
        your env.

                        ldap:
                        personals user groups:
                        ou=groups,o=company
                        first project groups:
                        cn=group1,ou=project1,o=________company
                        cn=group2,ou=project1,o=________company

                        -- Do i need to create separate OU's for
        different groups?


                    Up to you.

                    You need some "separator" between projects. It can
        be branch
                in the
                    tree, or scope "base" in filter configuration from
                nss_ldap.conf file.

                    We are prefer branches. It's more readable, when you
        have many
                    groups and many projects.


                        second project groups:
                        cn=group1,ou=project2,o=________company
                        cn=group2,ou=project2,o=________company
                        -- How i can specify the users who are a part of
        which
                group?


                    cn=group1,ou=project1,o=______company
                    objectClass: posixGroup
                    cn: group1
                    gidNumber: 1000
                    description: project1 admin group
                    memberUid: user1
                    memberUid: user2
                    memberUid: user3


        "Server1" nss_ldap.conf:
                        nss_base_group          ou=groups,o=company?sub
                        nss_base_group          ou=project1,o=company?one
                        --The syntax in the conf file will be like above ??
                Because i
                        have never
                        used ?sub and ?one


                    It's URI
        (http://en.wikipedia.org/wiki/______URI_scheme
        <http://en.wikipedia.org/wiki/____URI_scheme>
        <http://en.wikipedia.org/wiki/____URI_scheme
        <http://en.wikipedia.org/wiki/__URI_scheme>>
        <http://en.wikipedia.org/wiki/____URI_scheme
        <http://en.wikipedia.org/wiki/__URI_scheme>
        <http://en.wikipedia.org/wiki/__URI_scheme
        <http://en.wikipedia.org/wiki/URI_scheme>>>) syntax.
                    You should to write second part of URI (after connection
                    description) with base, scope and filter.


        "Server2" nss_ldap.conf:
                        nss_base_group          ou=groups,o=company?sub
                        nss_base_group          ou=project2,o=company?one

                        Also if you can help, am trying "pwdReset" for
        my ldap
                users, in the
                        ppolicy.schema file i have uncommented this
        attribute
                but not
                        able to
                        load the schema, if you can give me some
        pointers would be
                        appreciated.
                          What i want is when firsttime any user logs in
        he will
                asked
                        to change
                        his password.


                    1. try to start slapd with "-d config"
                    2. take a look to
        http://www.zytrax.com/books/______ldap/ch6/ppolicy.html
        <http://www.zytrax.com/books/____ldap/ch6/ppolicy.html>
        <http://www.zytrax.com/books/____ldap/ch6/ppolicy.html
        <http://www.zytrax.com/books/__ldap/ch6/ppolicy.html>>
        <http://www.zytrax.com/books/____ldap/ch6/ppolicy.html
        <http://www.zytrax.com/books/__ldap/ch6/ppolicy.html>
        <http://www.zytrax.com/books/__ldap/ch6/ppolicy.html
        <http://www.zytrax.com/books/ldap/ch6/ppolicy.html>>>

                    WBR


                        Regards,
                        Neo

                        I am not a expert in OpenLDAP so please help me.
                        2011/8/14 Dmitriy Kirhlarov <dimma@higis.ru
        <mailto:dimma@higis.ru>
        <mailto:dimma@higis.ru <mailto:dimma@higis.ru>>
        <mailto:dimma@higis.ru <mailto:dimma@higis.ru>
        <mailto:dimma@higis.ru <mailto:dimma@higis.ru>>>
        <mailto:dimma@higis.ru <mailto:dimma@higis.ru>
        <mailto:dimma@higis.ru <mailto:dimma@higis.ru>>

        <mailto:dimma@higis.ru <mailto:dimma@higis.ru>
        <mailto:dimma@higis.ru <mailto:dimma@higis.ru>>>>>



                            Hi.


                            On 08/12/2011 07:40 PM, Buchan Milne wrote:

                                On Wednesday, 10 August 2011 10:11:17
        pradyumna
                dash wrote:

                                    Guys,

                                    I have a query, lets take a scenario :

                                    Assume we have 2 servers "Server1" and
        "Server2" and 2
                                    groups "Admin" and
        "ITTech", What is needed is like say when a user "bob" logging
                                    in to "Server1" he will get the group
        "Admin", but
                        when he
                                    logs in to
        "Server2" he will get group "ITTech".  Also it may vary for
                                    different users
                                    like when "Kris" logs in to Server1
        he may
                get a group
                                    called "ITTech" and
                                    when he logs in to "Server2"  he
        will get
                some other
                        group
                                    say "Security".
                                    Can it be possible by OpenLDAP ?


                                IMHO, this is a bad idea. It will
        specifically be
                        problematic if
                                you have any
                                files shared/replicated/backed up between
                servers (e.g.
                        via NFS).


                            We are using this functionality without any
        problems. :)
                            This is feature of nss_ldap.

                            ldap:
                            personals user groups:
                            ou=groups,o=company

                            first project groups:
                            cn=group1,ou=project1,o=________company
                            cn=group2,ou=project1,o=________company

                            second project groups:
                            cn=group1,ou=project2,o=________company
                            cn=group2,ou=project2,o=________company

        "Server1" nss_ldap.conf:
                            nss_base_group          ou=groups,o=company?sub
                            nss_base_group
          ou=project1,o=company?one

        "Server2" nss_ldap.conf:
                            nss_base_group          ou=groups,o=company?sub
                            nss_base_group
          ou=project2,o=company?one


                            WBR


                                    If this is achieved then we are planning
                                    to have SUDO files based on the grooups.


                                It would be much more effective to have your
                sudo rules
                        in LDAP,
                                and apply a
                                rule to a set of users/groups to a
                collection/netgroup
                        of hosts.

                                Regards,
                                Buchan