memberOf task problem
by John A. Sullivan III
Hello, all. We are in the process of upgrading from 8.0 to 8.1. We've
hit a few glitches along the way but most has gone well. However, we
wanted to implement the new memberOf functionality. We successfully
added the plugin by editing dse.ldif and enabled it from the console.
However, we've been unsuccessful in having existing group membership
assigned to the memberOf attribute.
We first tried to run fixup-memberOf.pl but the script does not exist.
There is a template.fixup-memberOf.pl but this does not seem to have
been built into a final script.
We then thought we would use the new task feature of the console. We
went to cn=memberof task,cn=tasks,cn=config and tried to create the task
object. There was no nsDirectoryServerTask objectclass. We added an
nstask but then found there was no basedn attribute we could add. We
then created an extensibleobject instead but still not basedn attribute.
Finally, we resorted to ldapmodify (we hesitated just because we are not
very familiar with the command line tools). First, we did:
dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config
changetype: add
objectclass: top
objectclass: extensibleObject
cn: fixMemberOf
basedn: o=Internal,dc=ssiservices,dc=biz
The Internal Organization has several organizations under it (for
various clients) and then user organizational units under those
organizations. Although it generated no errors, it did not seem to
work. Perhaps I just don't know how to test it. However, the following
did not return an memberOf data:
/usr/lib64/mozldap/ldapsearch -b
"ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D "cn=Directory
Manager" -w - -h ldap uid=myid memberOf
Doing /usr/lib64/mozldap/ldapsearch -b
"ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D "cn=Directory
Manager" -w - -h ldap uid=myid
showed me plenty of attributes but nothing for memberOf
I also tried creating the task with a basedn of
ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz in case it did not
change objects lower in the tree. Still no success.
Finally I tried:
dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config
changetype: add
objectclass: top
objectclass: nsDirectoryServerTask
cn: fixMemberOf
basedn: o=Internal,dc=ssiservices,dc=biz
adding new entry cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config
ldap_add: Object class violation
ldap_add: additional info: unknown object class "nsDirectoryServerTask"
And received the expected unknown object class error.
What are we doing wrong? Are these documentation bugs? Are there
application bugs or do we simply not know what we are doing with tasks
and memberOf? How do we get the memberOf information into our existing
user objects? Thanks - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan(a)opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
13 years, 9 months
Customizing IDM Console
by Dumbo Q
Is there any way to customize the idm console? I basically just need a tool for add/mod/remove users and groups for authentication. centos-ds worked out of the box for authenticaition, but I had to manually pick a uid and gid. Is there a way to have idm-console pick the next available id?
If not, has anyone tried Gosa with fedora directory?
14 years, 4 months
Re: [389-users] Best practice for user / group authentication
by Dumbo Q
Thank you for the quick reply.
I also have a question about the posix groups.
To create a user in ds, the idm-console has a form which is quite easy. I can also use this to create "Groups", but they are not unix groups. I assume these are simply to keep organized all the users.
To add a unix group i have to create->new->other, and choose posix group. Then i manually pick the gidnumber. It does not seem to matter where i place this posix group. My first thought is that it is going to get very messy trying to keep track of each users posixgroup.
secondly, does this seem like a good plan for authentication structure below.
UnixGroups
\- all posix groups here.
People
\- Vendors
\- CompanyA
\- CompanyB
\- Staff
\- Accounting
\- SysAd
\- Development
\- YadaYada.
But then how would i say users in companyb can only login to some hosts?
14 years, 4 months
Where are the 1.2.0 rpms?
by DANIEL CRISTIAN CRUZ
Sorry,
I didn't found any rpm for 1.2.0...
Where are they?
Regards,
--
<span style="color: #000080">Daniel Cristian Cruz
</span>Administrador de Banco de Dados
Direção Regional - Núcleo de Tecnologia da Informação
SENAI - SC
Telefone: 48-3239-1422 (ramal 1422)
14 years, 4 months
Fedora-DS Multi Master "no such replica"
by Peter Steen
Hello Folks!
I am setting up two fedora-ds servers, lets call them server one and server two at two different locations, both need to be in sync at all time, they keep config for sendmail, dbmail and horde-imp.
Both fedora-ds setup are identical exept hostnames.
I have added several schemas in server one, in order to handle sendmail, dbmail and horde + imp. All is working 100%.
Setting up replication with inspiration from http://directory.fedoraproject.org/wiki/Howto:WalkthroughMultimasterSSL and http://www.linuxjournal.com/article/9517 ends up with an error at next last stage of the Linux Journal guide.
Serve one is source and server two is "consumer" in the first attempt to initialize server two from server one.
The result is:
The consumer initialization has unsuccessfully completed.
The error recieved by the replica is: 6 replication error aquiring replica replica: no such replica.
In logfiles I can see on server one that it tries, logfiles at server two says something, but I can not see server one actually login.
When doing the telnet test between server one and server two I can acces the LDAP servers at port 389
Also I can do ldapsearch between the two servers without any problem at all.
I am stuck here.
Is schema:s not replicated or what can it be ?
Thank you in advance!
Regards //
// Peter Steen
14 years, 4 months
posixGroup
by Dmitry Amirov
Hello.
My question is simple. I need to create unix group. If i try to do this
via New->Group, then i can't see posixGroup. So i can add posixGroup
only manually by adding needed attributes. But i want to add via console
such as i can add new user.
Thanks
14 years, 4 months
Deleting suffixe with command line
by Emmanuel BILLOT
Hi,
Is there any simple method to delete completely a root suffix on command
line ?
When using UI, FDS seems to execute many differente operations and we
need a script to do the same thing.
BR,
--
==========================================
Emmanuel BILLOT
IRD - Orléans
Délégation aux Systèmes d'Information (DSI)
tél : 02 38 49 95 88
==========================================
14 years, 4 months
Best practice for user / group authentication
by Dumbo Q
I want to use centos-ds 8 for centralized authentication. I believe this is derived from fedora-ds 1.1.
I want to know what is the best practice for storing posixgroups. In the envent that no DS is available, I want all of my system accounts to function as normal. If I use LDAP to store posixgroups, then all accounts will hang during login if my DS is down. I understand the reason is that even a local user must look at ldap to see what other groups this user belongs to.
Is this something I should be concerned with? Or will services that are already running before loosing access to DS function as normal? I have several processes which use ssh to run commands on other machines. I imagine that this will fail, or be extremely delayed waiting for ldap to timeout.
Two things that I could think of which could ease this problem a little.
1. Can I set nsswitch to give up on ldap after x seconds? Thus allowing local users to login without a major delay.
2. Can nscd 'not' expire records if it cannot contact ldap?
14 years, 4 months
