<html>
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 10 (filtered)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";
color:black;}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
pre
{margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
span.emailstyle17
{font-family:Arial;
color:windowtext;}
span.emailstyle19
{font-family:Arial;
color:navy;}
span.EmailStyle20
{font-family:Arial;
color:navy;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body bgcolor=white lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>That is what I have found to date in DS
but Mac OSX services does allow this through a mechanism I have yet to explore.
</span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>It seems like a ripe target for a DS plugin
so the PAM modules in each server could remain stock yet take advantage of
nested groups. I was hoping that someone already had a schema and a plugin to
do this. </span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> </span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> </span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 color=black
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma;color:windowtext'>-----Original
Message-----<br>
<b><span style='font-weight:bold'>From:</span></b> Rich Megginson
[mailto:rmeggins@redhat.com] <br>
<b><span style='font-weight:bold'>Sent:</span></b> </span></font><font size=2 color=black face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma;
color:windowtext'>Monday, December 10, 2012</span></font><font size=2
color=black face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma;
color:windowtext'> </span></font><font size=2 color=black face=Tahoma><span
style='font-size:10.0pt;font-family:Tahoma;color:windowtext'>2:45 PM</span></font><font
size=2 color=black face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma;
color:windowtext'><br>
<b><span style='font-weight:bold'>To:</span></b> General discussion list for
the 389 Directory server project.<br>
<b><span style='font-weight:bold'>Cc:</span></b> Deas, Jim<br>
<b><span style='font-weight:bold'>Subject:</span></b> Re: [389-users] Nested
groups ldap to PAM</span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt'> </span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt'>On </span></font>12/10/2012 03:24 PM, Deas, Jim wrote: </p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'>Fedora-DS is what I am
currently using.</span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt'><br>
So if you have a group like this:<br>
<br>
cn=group1,...<br>
member: uid=foo,...<br>
<br>
cn=group2,...<br>
member: uid=bar,...<br>
member: cn=group1,...<br>
<br>
And your client queries group2, you want your client to see<br>
member: uid=foo,...<br>
member: uid=bar,...<br>
<br>
without having to read member: cn=group1 and explicitly expand it?<br>
<br>
389/Fedora DS can't do this.<br>
<br>
<br>
</span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'> </span></font></p>
<p class=MsoNormal style='margin-left:1.0in'><font size=2 color=black
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma;color:windowtext'>-----Original
Message-----<br>
<b><span style='font-weight:bold'>From:</span></b> Rich Megginson [<a
href="mailto:rmeggins@redhat.com">mailto:rmeggins@redhat.com</a>] <br>
<b><span style='font-weight:bold'>Sent:</span></b> </span></font><font size=2 color=black face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma;
color:windowtext'>Monday, December 10, 2012</span></font><font size=2
color=black face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma;
color:windowtext'> </span></font><font size=2 color=black face=Tahoma><span
style='font-size:10.0pt;font-family:Tahoma;color:windowtext'>1:56 PM</span></font><font
size=2 color=black face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma;
color:windowtext'><br>
<b><span style='font-weight:bold'>To:</span></b> General discussion list for
the 389 Directory server project.<br>
<b><span style='font-weight:bold'>Cc:</span></b> Deas, Jim<br>
<b><span style='font-weight:bold'>Subject:</span></b> Re: [389-users] Nested
groups ldap to PAM</span></font></p>
<p class=MsoNormal style='margin-left:1.0in'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt'> </span></font></p>
<p class=MsoNormal style='margin-left:1.0in'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt'>On </span></font>12/10/2012 02:29 PM, Deas, Jim wrote: </p>
<p class=MsoNormal style='margin-left:1.0in'><font size=2 color=black
face=Arial><span style='font-size:10.0pt;font-family:Arial'>I am about to
upgrade our systems to the current version. One of my difficulty’s in the old
version was the lack of nested groups.</span></font></p>
<p class=MsoNormal style='margin-left:1.0in'><font size=2 color=black
face=Arial><span style='font-size:10.0pt;font-family:Arial'>Is there a way with
the current software to create nested groups in openldap</span></font></p>
<p class=MsoNormal style='margin-right:0in;margin-bottom:12.0pt;margin-left:
1.0in'><font size=3 color=black face="Times New Roman"><span style='font-size:
12.0pt'><br>
Not sure what you mean by "in openldap". Are you using 389 or
openldap server?<br>
<br>
</span></font></p>
<p class=MsoNormal style='margin-left:1.0in'><font size=2 color=black
face=Arial><span style='font-size:10.0pt;font-family:Arial'>that will be seen
properly by the linux PAM module and Mac OSX?</span></font></p>
<p class=MsoNormal style='margin-left:1.0in'><font size=2 color=black
face=Arial><span style='font-size:10.0pt;font-family:Arial'> </span></font></p>
<p class=MsoNormal style='margin-left:1.0in'><font size=2 color=black
face=Arial><span style='font-size:10.0pt;font-family:Arial'>Regards,</span></font></p>
<p class=MsoNormal style='margin-left:1.0in'><font size=2 color=black
face=Arial><span style='font-size:10.0pt;font-family:Arial'>JD</span></font></p>
<p class=MsoNormal style='margin-left:1.0in'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt'> </span></font></p>
<p class=MsoNormal style='margin-left:1.0in'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt'> </span></font></p>
<p class=MsoNormal style='margin-left:1.0in'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt'> </span></font></p>
<p class=MsoNormal style='margin-right:0in;margin-bottom:12.0pt;margin-left:
1.0in'><font size=3 color=black face="Times New Roman"><span style='font-size:
12.0pt'><br>
<br>
</span></font></p>
<pre style='margin-left:1.0in'><font size=2 color=black face="Courier New"><span
style='font-size:10.0pt'><fieldset class="mimeAttachmentHeader"></fieldset>--</span></font></pre><pre
style='margin-left:1.0in'><font size=2 color=black face="Courier New"><span
style='font-size:10.0pt'>389 users mailing list</span></font></pre><pre
style='margin-left:1.0in'><font size=2 color=black face="Courier New"><span
style='font-size:10.0pt'><a href="mailto:389-users@lists.fedoraproject.org"
moz-do-not-send=true>389-users@lists.fedoraproject.org</a></span></font></pre><pre
style='margin-left:1.0in'><font size=2 color=black face="Courier New"><span
style='font-size:10.0pt'><a
href="https://admin.fedoraproject.org/mailman/listinfo/389-users"
moz-do-not-send=true>https://admin.fedoraproject.org/mailman/listinfo/389-users</a></span></font></pre>
<p class=MsoNormal style='margin-left:1.0in'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt'> </span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt'><br>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset></span></font></p>
<pre style='margin-left:.5in'><font size=2 color=black face="Courier New"><span
style='font-size:10.0pt'>--</span></font></pre><pre style='margin-left:.5in'><font
size=2 color=black face="Courier New"><span style='font-size:10.0pt'>389 users mailing list</span></font></pre><pre
style='margin-left:.5in'><font size=2 color=black face="Courier New"><span
style='font-size:10.0pt'><a href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a></span></font></pre><pre
style='margin-left:.5in'><font size=2 color=black face="Courier New"><span
style='font-size:10.0pt'><a
href="https://admin.fedoraproject.org/mailman/listinfo/389-users">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></span></font></pre>
<p class=MsoNormal style='margin-left:.5in'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt'> </span></font></p>
</div>
</body>
</html>