dn: cn=m3,ou=Group,dc=example,dc=com
objectClass: posixGroup
objectClass: groupOfNames
gidNumber: 100
cn: m3
memberUid: pradyumna
member: cn=test,ou=People,dc=example,dc=com
I think this is what you asked for.
Regards,
Neo
On Mon, Aug 15, 2011 at 6:36 PM, Dmitriy Kirhlarov <dimma@higis.ru
<mailto:dimma@higis.ru>> wrote:
15.08.2011 17:24, pradyumna dash пишет:
Hi,
I have create 2 groups and modified the ldap.conf file in the
client as
below
nss_base_passwd ou=people,dc=example,dc=com?__one
nss_base_shadow ou=people,dc=example,dc=com?__one
nss_base_group ou=Group,dc=example,dc=com?one
From the client when i run getent i can see my groups and
users, but
when i login to a user and try id it shows me the primary group
not the
secondary groups i have added.
Could you, please, show DN of primary and secondary groups and body
of this objects (object classes and attributes).
WBR
I am using SLES 11 SP1.
Regards,
Pradyumna
2011/8/15 Dmitriy Kirhlarov <dimma@higis.ru
<mailto:dimma@higis.ru> <mailto:dimma@higis.ru
<mailto:dimma@higis.ru>>>
please, keep a list address in the Cc.
WNBR
On 08/14/2011 04:20 PM, pradyumna dash wrote:
Thank you so much.
I will try it this week and get back to you in case of
any issues.
Thanks for your time.
Regards,
Pradyumna
2011/8/14 Dmitriy Kirhlarov <dimma@higis.ru
<mailto:dimma@higis.ru>
<mailto:dimma@higis.ru <mailto:dimma@higis.ru>>
<mailto:dimma@higis.ru <mailto:dimma@higis.ru>
<mailto:dimma@higis.ru <mailto:dimma@higis.ru>>>>
On 08/14/2011 03:18 PM, pradyumna dash wrote:
Hi,
Thank you so much. I have never worked a lot on
nss_ldap so
asking some
basic questions.
As per you said you guys are running the same in
your env.
ldap:
personals user groups:
ou=groups,o=company
first project groups:
cn=group1,ou=project1,o=________company
cn=group2,ou=project1,o=________company
-- Do i need to create separate OU's for
different groups?
Up to you.
You need some "separator" between projects. It can
be branch
in the
tree, or scope "base" in filter configuration from
nss_ldap.conf file.
We are prefer branches. It's more readable, when you
have many
groups and many projects.
second project groups:
cn=group1,ou=project2,o=________company
cn=group2,ou=project2,o=________company
-- How i can specify the users who are a part of
which
group?
cn=group1,ou=project1,o=______company
objectClass: posixGroup
cn: group1
gidNumber: 1000
description: project1 admin group
memberUid: user1
memberUid: user2
memberUid: user3
"Server1" nss_ldap.conf:
nss_base_group ou=groups,o=company?sub
nss_base_group ou=project1,o=company?one
--The syntax in the conf file will be like above ??
Because i
have never
used ?sub and ?one
It's URI
(http://en.wikipedia.org/wiki/______URI_scheme
<http://en.wikipedia.org/wiki/____URI_scheme>
<http://en.wikipedia.org/wiki/____URI_scheme
<http://en.wikipedia.org/wiki/__URI_scheme>>
<http://en.wikipedia.org/wiki/____URI_scheme
<http://en.wikipedia.org/wiki/__URI_scheme>
<http://en.wikipedia.org/wiki/__URI_scheme
<http://en.wikipedia.org/wiki/URI_scheme>>>) syntax.
You should to write second part of URI (after connection
description) with base, scope and filter.
"Server2" nss_ldap.conf:
nss_base_group ou=groups,o=company?sub
nss_base_group ou=project2,o=company?one
Also if you can help, am trying "pwdReset" for
my ldap
users, in the
ppolicy.schema file i have uncommented this
attribute
but not
able to
load the schema, if you can give me some
pointers would be
appreciated.
What i want is when firsttime any user logs in
he will
asked
to change
his password.
1. try to start slapd with "-d config"
2. take a look to
http://www.zytrax.com/books/______ldap/ch6/ppolicy.html
<http://www.zytrax.com/books/____ldap/ch6/ppolicy.html>
<http://www.zytrax.com/books/____ldap/ch6/ppolicy.html
<http://www.zytrax.com/books/__ldap/ch6/ppolicy.html>>
<http://www.zytrax.com/books/____ldap/ch6/ppolicy.html
<http://www.zytrax.com/books/__ldap/ch6/ppolicy.html>
<http://www.zytrax.com/books/__ldap/ch6/ppolicy.html
<http://www.zytrax.com/books/ldap/ch6/ppolicy.html>>>
WBR
Regards,
Neo
I am not a expert in OpenLDAP so please help me.
2011/8/14 Dmitriy Kirhlarov <dimma@higis.ru
<mailto:dimma@higis.ru>
<mailto:dimma@higis.ru <mailto:dimma@higis.ru>>
<mailto:dimma@higis.ru <mailto:dimma@higis.ru>
<mailto:dimma@higis.ru <mailto:dimma@higis.ru>>>
<mailto:dimma@higis.ru <mailto:dimma@higis.ru>
<mailto:dimma@higis.ru <mailto:dimma@higis.ru>>
<mailto:dimma@higis.ru <mailto:dimma@higis.ru>
<mailto:dimma@higis.ru <mailto:dimma@higis.ru>>>>>
Hi.
On 08/12/2011 07:40 PM, Buchan Milne wrote:
On Wednesday, 10 August 2011 10:11:17
pradyumna
dash wrote:
Guys,
I have a query, lets take a scenario :
Assume we have 2 servers "Server1" and
"Server2" and 2
groups "Admin" and
"ITTech", What is needed is like say when a user "bob" logging
in to "Server1" he will get the group
"Admin", but
when he
logs in to
"Server2" he will get group "ITTech". Also it may vary for
different users
like when "Kris" logs in to Server1
he may
get a group
called "ITTech" and
when he logs in to "Server2" he
will get
some other
group
say "Security".
Can it be possible by OpenLDAP ?
IMHO, this is a bad idea. It will
specifically be
problematic if
you have any
files shared/replicated/backed up between
servers (e.g.
via NFS).
We are using this functionality without any
problems. :)
This is feature of nss_ldap.
ldap:
personals user groups:
ou=groups,o=company
first project groups:
cn=group1,ou=project1,o=________company
cn=group2,ou=project1,o=________company
second project groups:
cn=group1,ou=project2,o=________company
cn=group2,ou=project2,o=________company
"Server1" nss_ldap.conf:
nss_base_group ou=groups,o=company?sub
nss_base_group
ou=project1,o=company?one
"Server2" nss_ldap.conf:
nss_base_group ou=groups,o=company?sub
nss_base_group
ou=project2,o=company?one
WBR
If this is achieved then we are planning
to have SUDO files based on the grooups.
It would be much more effective to have your
sudo rules
in LDAP,
and apply a
rule to a set of users/groups to a
collection/netgroup
of hosts.
Regards,
Buchan