Hello, I have two questions on same line, and these answers will be very helpful.
1) The MemberOf plugin works wonderful using SSSD at client side, however, is it possible to have the same kind of Control at the Server side? I mean, could I have the ability to control user's Authentication on a Host machine based on it's group or other parameter very much the same way that now I am doing with memberOf/sssd.conf at the Host Machine. 2) I know this is not IPA group, in case someone knows. Does IPA supports that feature at the server side? or using sssd.conf at the host machine? Any pointers to RTFM would also be helpful. :-) Thanks Chandan On Friday, March 22, 2013, Chandan Kumar wrote: > Hi Rich, > > ops! my bad. Thank you so much for pointing that out. Now I could see > MemberOf attribute in my user entries. > > Thanks again! > > --Chandan > > On Friday, March 22, 2013, Rich Megginson wrote: > > On 03/22/2013 11:06 AM, Chandan Kumar wrote: > > Hello, > > So far I have been managed to do some setup of 389 server, thanks to > prompt community. > > Now, I am having some trouble in getting the MemberOf plugin work > for 389-ds-base-1.2.11.15-11. When I add a user into a group, the memberOf > attribute is not being added to the user entry. > > While googling a bit I came across an older post of this group > > > http://www.redhat.com/archives/fedora-directory-users/2009-December/msg00165.html > > based on that, I checked dse.ldif and the Plugin configuration also > looks good. > > > Too bad that google didn't send you here: > > https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Advanced_Entry_Management.html#groups-cmd-memberof > > Specifically: > "6.1.4.2. Object Classes Which Support memberof Attributes > The most common people object classes — such as inetorgperson and person — > do not allow the memberOf attribute. To allow the MemberOf Plug-in to add > the memberOf attribute to a user entry, make sure that that entry belongs > to the inetUser object class, which does allow the memberOf attribute." > > Even in the link you posted: > " objectClass: shadowaccount > objectClass: inetuser > physicalDeliveryOfficeName: Kennebunk > ... > " > > > > dn: cn=MemberOf Plugin,cn=plugins,cn=config > objectClass: top > objectClass: nsSlapdPlugin > objectClass: extensibleObject > cn: MemberOf Plugin > nsslapd-pluginPath: libmemberof-plugin > nsslapd-pluginInitfunc: memberof_postop_init > nsslapd-pluginType: postoperation > nsslapd-pluginEnabled: on > nsslapd-plugin-depends-on-type: database > memberofgroupattr: uniqueMember > memberofattr: memberOf > nsslapd-pluginId: memberof > nsslapd-pluginVersion: 1.2.11.15 > nsslapd-pluginVendor: 389 Project > nsslapd-pluginDescription: memberof plugin > modifiersName: cn=directory manager > modifyTimestamp: 20130322162350Z > > The way I am adding users : > > dn: uid=chandank,ou=People,dc=ma,dc=net > objectclass: person > objectclass: inetorgperson > objectclass: posixAccount > cn: Chandan > sn: k > givenName: chandank > uid:chandank > uidNumber:5006 > gidNumber:5006 > objectclass: mepOriginEntry > mepManagedEntry: cn=chandank > homeDirectory: /home/chandank > loginShell: /bin/bash > > The way I am adding them into a group: > > dn: cn=sys,ou=Groups,dc=ma,dc=net > changetype: modify > add: uniqueMember > uniqueMember: uid=chandank,ou=People,dc=ma,dc=net > > And after I have added the user I am expecting an MemberOf attribute > entry in the user entry itself. I am not sure whether it is the right way > to do so. > > For the records: Having MemberOf attribute in the user entry would allow > me use ldap Access filters in sssd.conf file eg. > "ldap_access_filter = > memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com" and hence will be > able to restrict users from login on different systems. > > Thanks > Chandan > > > > -- > > -- > http://about.me/chandank > > -- -- http://about.me/chandank
-- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
