[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
How to enable memberOf overlay with posixGroup?
- To: openldap-technical@openldap.org
- Subject: How to enable memberOf overlay with posixGroup?
- From: MegaBrutal <megabrutal@gmail.com>
- Date: Wed, 7 Sep 2016 23:10:30 +0200
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to :content-transfer-encoding; bh=V82RhLx33glaKLPkMZufHI22sTYMieT+FG3T/anlerQ=; b=RgBh5b8dcKgWyw7AUnHNzqYTDe4odJ0Bzc8ki56xaCuGY5v6hjNltZDrSTRFksY/13 zqrWyjMagvcwCNkD+tx+tK5uYEAtjxb+Qfn6z7u5MTran43mw4poJZS2oIIvT1QQVedR cCWBQtwGFQcr+SIJCQmYrcHgwY/i0PICR45bec+yb5Hf0jbCKUynmSdkclakwu+lXoat o3toRSnTAGblLcsadAOh2KNEWYjKSfzSYTGl5u8lT8/xYKqF7VGgYlJh+FjknaXauJBe ptuvzkyQhwps6IerHqbY/AJIuXDtnSw+e7zetx1/yDLh17+a/QPTB0RJQnfDDeAQX5os BoOA==
Hi all,
I've spent days trying to figure out how could I enable the memberOf
overlay, and it doesn't seem to be easy for an LDAP-noob. I've read
like 50+ tutorials which didn't help me get it working.
Use case: I want to have 2 main groups which control access to
different services on my network. A "unixusers" which is a minimum to
log in to Linux servers (having a hostObject entry for the user is
another requirement, which is irrelevant to this question, as I
already solved that problem); and a "cloudusers" group which enables
log in to my ownCloud instance.
The groups should enforce the following rules:
– Only users in "cloudusers" should be allowed to log in to ownCloud.
– Users in "unixusers" are allowed to log in to a set of Linux servers
controlled by "host" (hostObject) entries.
– Users not in the "unixusers" group may not log in to any Linux
systems, even if they have "host" entries.
Problems:
– ownCloud complains that the memberOf overlay is not enabled, hence
it doesn't let me restrict access to the "cloudusers" group. It would
allow any users regardless of any group memberships, which is not
acceptable.
– I have a similar problem on Linux with PAM: I can't really get it to
consider "unixusers" membership for user logins, although I got the
"host" entries working correctly, so at least I can already restrict
access with that.
My guess is that it all boils down to the lack of memberOf overlay. I
also figured that memberOf would need groupOfNames groups, while I
need posixGroup type groups. I evaluated the possibility to use
groupOfNames, but it lacks the necessary gidNumber attribute which is
a requirement for Unix groups. But anyway, I can't enable memberOf
even for groupOfNames. I can't enable memberOf by any means.
My OpenLDAP uses the new configuration method and it completely
ignores slapd.conf, so the config must be injected with ldapadd to
cn=config.
Could you please help me with this?
Regards,
MegaBrutal