Thanks for all your help. This is a new ldap server, so I'll try to go
the upgrade route.
For short-term testing of the memberOf restrictions to my CentOS client
system, I've gone ahead and added the inetUser to the objectclass of
a couple of my test users.
I'll see if I can now get filtering to work.
On 2/17/16 6:51 PM, Mark Reynolds wrote:
On 02/17/2016 04:45 PM, Janet Houser wrote:
> Hi Mark,
> Thanks for responding so quickly. Fortunately I'm running
> 184.108.40.206-26, so I should be able to have the memberOf plugin
> automatically add the "inetuser" to my entries if needed.
Sorry this fix was a not released until 220.127.116.11-1. I'm not sure if
you can upgrade or not, if not you'll need to manually add this
objectclass to your user entries.
> I took a look at the document you mentioned (thanks!), and I'm still
> a bit confused (apologies for being thick).
> I'm in the Advanced settings of the MemberOf plugin, and there isn't
> an option to add the attribute "memberofAutoAddOC" and set
> the default value to inetUser.
> An ldapsearch still fails to show any entries with cn=MemberOf
> I'm sure I'm missing the obvious. Any suggestions would be
> On 2/17/16 12:58 PM, Mark Reynolds wrote:
>> The memberOf plugin is trying to add the "memberOf" attribute to the
>> entry, but the entry is missing an objectclass that allows
>> "memberOf". Typically you need to add "objectclass:
>> all your entries for memberOf Plugin to work as you'd expect.
>> If you are using "389-ds-base-1.3.4" or later, the memberOf plugin
>> can automatically add "inetuser" to the entries for you(if it is
>> On 02/17/2016 01:37 PM, houser(a)nso.edu wrote:
>>> I'm new to 389-ds and last week downloaded and installed the software.
>>> I have a running instance of the server, and I've added TLS/SSL.
>>> I've configured a CentOS 7 client to be able to query
>>> the server using TLS/SSL, and all appears working.
>>> I've created users and groups on the 389-ds server successfully.
>>> For each user and group, I've enabled posix attributes and my client
>>> can see the unix users and groups using the "getent password" or
>>> "getent group" commands.
>>> Now, here's where I'm getting tripped up..........
>>> I need to limit which users have access to which systems. I've been
>>> trying to do this via memberOf group limitations.
>>> I found the following online resource
>>> which is close enough to CentOS that the initial commands worked.
>>> I enabled the MemberOf plugin and changed the attributes per the
>>> link, and restarted the system.
>>> I created a test group (that I didn't enable a posix GID) and tried
>>> to add a single user via:
>>> Right click on group -- > click Properties --> then Members -->
>>> click Add --> Search for user --> click Add.
>>> When I try to go this route (which worked before enabling the
>>> memberOf plugin) it worked. Now it seems I get the error:
>>> "Cannot save to directory server.
>>> netscape.ldap.LDAPException: error resiult(65): Object class
>>> And the messages file throws the error
>>> "Entry "uid=test,ou=People,dc=int,dc=com" -- attribute
>>> not allowed
>>> [17/Feb/2016:11:22:58 -0700] memberof-plugin -
>>> memberof_postop_modify: failed to add dn
>>> (cn=testgroup,ou=Groups,dc=int,dc=com) to target. Error (65)"
>>> So it seems my server isn't quite using the memberOf plugin
>>> properly, but I'm not sure what else to enable. I'll have to
>>> solve this issue before
>>> I even try to filter login access via groups on my client system.
>>> I should mention that if I go under the advanced tab for one of the
>>> groups I created, I can add the the attribute "uniquemember", but
>>> I'm not sure what I
>>> should set the "value" to be.
>>> I've tried creating new users to see if I could set their
>>> "uniquemember" attributes, but no luck. It seems that I don't
>>> the ability to set this attribute
>>> on individual users, only groups.
>>> This might not be the right road to head down when trying to
>>> restrict access to servers via groups, so I'm open to any suggestions.
>>> Any suggestions would be appreciated.
>>> 389 users mailing list
>> 389 users mailing list
> 389 users mailing list
389 users mailing list