<p>I do not know what you mean in DIACAP... acl I assume that you mean local permision on system: I used ldap accounts with local permissions and I did not experience any problems AFAICT.</p>
<p>Greg.</p>
<div class="gmail_quote">14 sty 2013 16:48, "Chaudhari, Rohit K." <<a href="mailto:Rohit.Chaudhari@jhuapl.edu">Rohit.Chaudhari@jhuapl.edu</a>> napisa³(a):<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Is this something that will cause an issue with ACL/DIACAP restrictions?<br>
I'm not sure if you know what those are, but correct me if I'm wrong.<br>
<br>
Thanks.<br>
<br>
On 1/14/13 10:44 AM, "Doug Tucker" <<a href="mailto:tuckerd@lyle.smu.edu">tuckerd@lyle.smu.edu</a>> wrote:<br>
<br>
>It's not going to show you the ldap users only the local ones.<br>
><br>
>Sincerely,<br>
><br>
>Doug Tucker<br>
><br>
>On 01/14/2013 09:17 AM, Chaudhari, Rohit K. wrote:<br>
>> The id <ldap-user-name> command works just fine. That is not where I<br>
>> am having the issue. The issue lies in the local Users and Groups<br>
>> list in the RHEL client.<br>
>><br>
>> When I click through System->Administration->Users and Groups, the<br>
>> ldap-user-name is not showing up on that list. How do I get it to<br>
>> show up on that list? This is a concern to me because my bosses are<br>
>> questioning whether the ldap-user-name I created has proper ACL<br>
>> privileges and would meet DIACAP requirements.<br>
>><br>
>> Thanks,<br>
>><br>
>> Rohit<br>
>><br>
>> From: Chandan Kumar <<a href="mailto:chandank.kumar@gmail.com">chandank.kumar@gmail.com</a><br>
>> <mailto:<a href="mailto:chandank.kumar@gmail.com">chandank.kumar@gmail.com</a>>><br>
>> Reply-To: "General discussion list for the 389 Directory server<br>
>> project." <<a href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a><br>
>> <mailto:<a href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a>>><br>
>> Date: Monday, January 7, 2013 1:43 PM<br>
>> To: "General discussion list for the 389 Directory server project."<br>
>> <<a href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a><br>
>> <mailto:<a href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a>>><br>
>> Subject: Re: [389-users] How to set up 389 client<br>
>><br>
>> Sounds bit strange. what is out put of "id <ldap-user-name>". If sssd<br>
>> is configured properly this command has to work. Moreover, while you<br>
>> execute this command watch /var/log/secure.log for any error messages.<br>
>><br>
>> Also disable selinux/Firewall and test.<br>
>><br>
>> On Monday, January 7, 2013, Chaudhari, Rohit K. wrote:<br>
>><br>
>> I configured everything with SSSD as you suggested. I'm able to<br>
>> do successful logins authenticating against the LDAP server, but<br>
>> when I check the Users and Groups list on the client machine, that<br>
>> newly created user isn't added. Thoughts?<br>
>><br>
>> Thanks.<br>
>><br>
>> From: Chandan Kumar <<a href="mailto:chandank.kumar@gmail.com">chandank.kumar@gmail.com</a> <javascript:_e({},<br>
>> 'cvml', '<a href="mailto:chandank.kumar@gmail.com">chandank.kumar@gmail.com</a>');>><br>
>> Reply-To: "General discussion list for the 389 Directory server<br>
>> project." <<a href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a> <javascript:_e({},<br>
>> 'cvml', '<a href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a>');>><br>
>> Date: Monday, January 7, 2013 1:36 PM<br>
>> To: "General discussion list for the 389 Directory server<br>
>> project." <<a href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a> <javascript:_e({},<br>
>> 'cvml', '<a href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a>');>><br>
>> Subject: Re: [389-users] How to set up 389 client<br>
>><br>
>> are you using SSSD on client side or PADL/NSS?<br>
>><br>
>> On Monday, January 7, 2013, Chaudhari, Rohit K. wrote:<br>
>><br>
>> I do specify the POSIX properties on the LDAP side. But when<br>
>> I login with that created user on the client side and check<br>
>> the Users and Groups list on the client machine, it is not<br>
>> listed there. I did avoid the warning message by adding the<br>
>> LDAP user to a group that already exists. I want the user I<br>
>> create in LDAP to become listed in the Users and Groups list<br>
>> on the client (for ACL purposes, if you know anything<br>
>> regarding meeting DIACAP guidelines). Did I miss something?<br>
>><br>
>> Thanks<br>
>><br>
>> From: Chandan Kumar <<a href="mailto:chandank.kumar@gmail.com">chandank.kumar@gmail.com</a>><br>
>> Reply-To: "General discussion list for the 389 Directory<br>
>> server project." <<a href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a>><br>
>> Date: Monday, January 7, 2013 11:39 AM<br>
>> To: "General discussion list for the 389 Directory server<br>
>> project." <<a href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a>><br>
>> Subject: Re: [389-users] How to set up 389 client<br>
>><br>
>> Hello Rohit,<br>
>><br>
>> While creating users you also need to specify POSIX properties<br>
>> for the user.<br>
>><br>
>> In admin console you need to fill out posix properties details<br>
>> while creating the user. Also make sure you create posix<br>
>> groups and associate these new users with the group ID<br>
>> otherwise while login time you may get some warning message<br>
>> like "id: Group does not exist".<br>
>><br>
>><br>
>><br>
>><br>
>> --<br>
>> <a href="http://about.me/chandank" target="_blank">http://about.me/chandank</a><br>
>><br>
>><br>
>> On Mon, Jan 7, 2013 at 7:27 AM, Chaudhari, Rohit K.<br>
>> <<a href="mailto:Rohit.Chaudhari@jhuapl.edu">Rohit.Chaudhari@jhuapl.edu</a>> wrote:<br>
>><br>
>> Hey Chandan,<br>
>><br>
>> So I got the RHEL client working, but I have an<br>
>> outstanding issue. When I look at the users/groups<br>
>> setting on the client machine, the newly created user that<br>
>> I made on the RHEL LDAP server does not show up on the<br>
>> list. Is this how it is supposed to work? If not, how do<br>
>> I get a LDAP user to become a part of the users and groups<br>
>> list on the RHEL client?<br>
>><br>
>> Thanks,<br>
>><br>
>> Rohit<br>
>><br>
>> From: Chandan Kumar <<a href="mailto:chandank.kumar@gmail.com">chandank.kumar@gmail.com</a>><br>
>> Reply-To: "General discussion list for the 389 Directory<br>
>> server project." <<a href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a>><br>
>> Date: Thursday, December 20, 2012 6:21 PM<br>
>><br>
>> To: "General discussion list for the 389 Directory server<br>
>> project." <<a href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a>><br>
>> Subject: Re: [389-users] How to set up 389 client<br>
>><br>
>> Yes do need to replace it with SSSD. If you are having a<br>
>> fresh Centos install, by default it is sssd only.<br>
>><br>
>> Best way would be to use the authconfig tool as it changes<br>
>> all related files and you don't have to manually change<br>
>> all of them. Moreover, you also need change the nss.conf<br>
>> file and make sure groups/users do have sssd instead of<br>
>>ldap.<br>
>><br>
>> From RHEL 6.4 sssd will be fully supported and it gives<br>
>> better performance if you intend to integrate many<br>
>> applications with LDAP as it does not open multiple<br>
>> connections with the directory server.<br>
>><br>
>> I will look that guide again and will try to improve it.<br>
>><br>
>> On Thursday, December 20, 2012, Chaudhari, Rohit K. wrote:<br>
>><br>
>> Okay I will try checking those parameters. I am doing<br>
>> sssd, I used ldap pan before in CentOS 6 and that ha<br>
>><br>
>><br>
>><br>
>> --<br>
>><br>
>> --<br>
>> <a href="http://about.me/chandank" target="_blank">http://about.me/chandank</a><br>
>><br>
>><br>
>><br>
>> --<br>
>> 389 users mailing list<br>
>> <a href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a><br>
>> <a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a><br>
><br>
>--<br>
>389 users mailing list<br>
><a href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a><br>
><a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a><br>
<br>
--<br>
389 users mailing list<br>
<a href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a><br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></blockquote></div>