On 10 Sep 2019, at 22:14, Weigel Stefan
<stefan_weigel(a)genua.de> wrote:
Hi,
I need a little help with two topics:
1. users should be able to use a simple web frontend to change ldap
password and manage ssh pubkeys.
We evaluated Fusion Directory (
https://www.fusiondirectory.org/) for this.
In Fusion Directory group membership is using groupofnames rather than
groupofuniquenames used in 389. I played around but can't find a
solution to fix this. I tried to modify
cn=group,cn=defaultobjectclassescontainer,ou=1.1,ou=admin,ou=global
preferences,ou=genua.de,o=netscaperoot -> nsDefaultObjectClass from
groupofuniquenames to groupofnames
and renamed
cn=groupofuniquenames,cn=ResourceEditorExtension,ou=1.1,ou=Admin,ou=Global
Preferences,ou=genua.de,o=netscaperoot
to
cn=groupofnames,cn=ResourceEditorExtension,ou=1.1,ou=Admin,ou=Global
Preferences,ou=genua.de,o=netscaperoot
but in 389-console it shows me message: uniqueMember is not allowed.
Is it possible to change the default object class of the group? How to
to do it?
Otherwise could you point me to a simple webgui to edit values?
389 supports both of these in schema:
################################################################################
#
objectClasses: ( 2.5.6.9 NAME 'groupOfNames'
SUP top
STRUCTURAL
MUST ( cn )
MAY ( member $
businessCategory $
seeAlso $
owner $
ou $
o $
description )
X-ORIGIN 'RFC 4519' )
#
################################################################################
#
objectClasses: ( 2.5.6.17 NAME 'groupOfUniqueNames'
SUP top
STRUCTURAL
MUST ( cn )
MAY ( uniqueMember $
businessCategory $
seeAlso $
owner $
ou $
o $
description )
X-ORIGIN 'RFC 4519' )
I would advise that groupOfNames is a "better" option, as the functionality of
groupOfUniqueNames is subtle and generally not worth the extra effort. MemberOf and most
of our tooling is designed to use GroupOfNames by default, so perhaps see if that can work
for you?
2. When creating a user object under I want to trigger some post actions
(create directories, copy files, etc.)
As I understand this should be possible with the plugins. I'm asking
myself if there's already such a plugin or could you provide me some
more infos.
You would likely need to develop this. We have had some interest in a dbus plugin that can
notify on changes in the past, but we haven't had serious requests for this in some
time.
Another option is to write an ldap client that uses syncrepl to monitor for changes which
could then trigger actions as required.
Generally though, I think that it's better to ask "what are you trying to
achieve". LDAP isn't really designed to "block" and manage files, as it
would be a performance limit. If you want to do things like dynamically create home
directories you could consider pam_oddjobd or similar instead.
Thanks in advance,
Stefan
_______________________________________________
389-users mailing list -- 389-users(a)lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
—
Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server
SUSE Labs