On 03/27/2013 09:55 AM, Chandan Kumar wrote:
Hello,
I have two questions on same line, and these answers will be very helpful.
1)
The MemberOf plugin works wonderful using SSSD at client side,
however, is it possible to have the same kind of Control at the Server
side?
I mean, could I have the ability to control user's Authentication on a
Host machine based on it's group or other parameter very much the same
way that now I am doing with memberOf/sssd.conf at the Host Machine.
Not exactly - http://port389.org/wiki/Howto:Netgroups
2)
I know this is not IPA group, in case someone knows. Does IPA supports
that feature at the server side? or using sssd.conf at the host machine?
Any pointers to RTFM would also be helpful. :-)
Thanks
Chandan
On Friday, March 22, 2013, Chandan Kumar wrote:
Hi Rich,
ops! my bad. Thank you so much for pointing that out. Now I could
see MemberOf attribute in my user entries.
Thanks again!
--Chandan
On Friday, March 22, 2013, Rich Megginson wrote:
On 03/22/2013 11:06 AM, Chandan Kumar wrote:
Hello,
So far I have been managed to do some setup of 389 server,
thanks to prompt community.
Now, I am having some trouble in getting the MemberOf plugin
work for 389-ds-base-1.2.11.15-11. When I add a user into a
group, the memberOf attribute is not being added to the user
entry.
While googling a bit I came across an older post of this group
http://www.redhat.com/archives/fedora-directory-users/2009-December/msg00165.html
based on that, I checked dse.ldif and the Plugin
configuration also looks good.
Too bad that google didn't send you here:
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Advanced_Entry_Management.html#groups-cmd-memberof
Specifically:
"6.1.4.2. Object Classes Which Support memberof Attributes
The most common people object classes — such as inetorgperson
and person — do not allow the memberOf attribute. To allow the
MemberOf Plug-in to add the memberOf attribute to a user
entry, make sure that that entry belongs to the inetUser
object class, which does allow the memberOf attribute."
Even in the link you posted:
" objectClass: shadowaccount
objectClass: inetuser
physicalDeliveryOfficeName: Kennebunk
...
"
dn: cn=MemberOf Plugin,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: MemberOf Plugin
nsslapd-pluginPath: libmemberof-plugin
nsslapd-pluginInitfunc: memberof_postop_init
nsslapd-pluginType: postoperation
nsslapd-pluginEnabled: on
nsslapd-plugin-depends-on-type: database
memberofgroupattr: uniqueMember
memberofattr: memberOf
nsslapd-pluginId: memberof
nsslapd-pluginVersion: 1.2.11.15
nsslapd-pluginVendor: 389 Project
nsslapd-pluginDescription: memberof plugin
modifiersName: cn=directory manager
modifyTimestamp: 20130322162350Z
The way I am adding users :
dn: uid=chandank,ou=People,dc=ma,dc=net
objectclass: person
objectclass: inetorgperson
objectclass: posixAccount
cn: Chandan
sn: k
givenName: chandank
uid:chandank
uidNumber:5006
gidNumber:5006
objectclass: mepOriginEntry
mepManagedEntry: cn=chandank
homeDirectory: /home/chandank
loginShell: /bin/bash
The way I am adding them into a group:
dn: cn=sys,ou=Groups,dc=ma,dc=net
changetype: modify
add: uniqueMember
uniqueMember: uid=chandank,ou=People,dc=ma,dc=net
And after I have added the user I am expecting an MemberOf
attribute entry in the user entry itself. I am not sure
whether it is the right way to do so.
For the records: Having MemberOf attribute in the user entry
would allow me use ldap Access filters in sssd.conf file eg.
"ldap_access_filter =
memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com" and
hence will be able to restrict users from login on different
systems.
Thanks
Chandan
--
--
http://about.me/chandank
--
--
http://about.me/chandank
--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
