Hi Mark,
Thanks for all your help. This is a new ldap server, so I'll try to go
the upgrade route.
For short-term testing of the memberOf restrictions to my CentOS client
system, I've gone ahead and added the inetUser to the objectclass of
a couple of my test users.
I'll see if I can now get filtering to work.
Cheers,
On 2/17/16 6:51 PM, Mark Reynolds wrote:
On 02/17/2016 04:45 PM, Janet Houser wrote:
> Hi Mark,
>
> Thanks for responding so quickly. Fortunately I'm running
> 1.3.4.0-26, so I should be able to have the memberOf plugin
> automatically add the "inetuser" to my entries if needed.
Sorry this fix was a not released until 1.3.4.5-1. I'm not sure if
you can upgrade or not, if not you'll need to manually add this
objectclass to your user entries.
Regards,
Mark
>
> I took a look at the document you mentioned (thanks!), and I'm still
> a bit confused (apologies for being thick).
>
> I'm in the Advanced settings of the MemberOf plugin, and there isn't
> an option to add the attribute "memberofAutoAddOC" and set
> the default value to inetUser.
>
> An ldapsearch still fails to show any entries with cn=MemberOf
> Plugin,.....
>
> I'm sure I'm missing the obvious. Any suggestions would be
> appreciated.
>
> Thanks.
>
> On 2/17/16 12:58 PM, Mark Reynolds wrote:
>> The memberOf plugin is trying to add the "memberOf" attribute to the
>> entry, but the entry is missing an objectclass that allows
>> "memberOf". Typically you need to add "objectclass:
inetuser" to
>> all your entries for memberOf Plugin to work as you'd expect.
>>
>> If you are using "389-ds-base-1.3.4" or later, the memberOf plugin
>> can automatically add "inetuser" to the entries for you(if it is
>> missing).
>>
>>
http://www.port389.org/docs/389ds/design/memberof-auto-add-oc.html
>>
>> Mark
>>
>>
>> On 02/17/2016 01:37 PM, houser(a)nso.edu wrote:
>>> Hi,
>>>
>>> I'm new to 389-ds and last week downloaded and installed the software.
>>>
>>> I have a running instance of the server, and I've added TLS/SSL.
>>> I've configured a CentOS 7 client to be able to query
>>> the server using TLS/SSL, and all appears working.
>>>
>>> I've created users and groups on the 389-ds server successfully.
>>> For each user and group, I've enabled posix attributes and my client
>>> can see the unix users and groups using the "getent password" or
>>> "getent group" commands.
>>>
>>> Now, here's where I'm getting tripped up..........
>>>
>>> I need to limit which users have access to which systems. I've been
>>> trying to do this via memberOf group limitations.
>>>
>>> I found the following online resource
>>>
(
https://thornelabs.net/2013/01/28/aix-restrict-server-login-via-ldap-grou...)
>>> which is close enough to CentOS that the initial commands worked.
>>>
>>> I enabled the MemberOf plugin and changed the attributes per the
>>> link, and restarted the system.
>>>
>>> I created a test group (that I didn't enable a posix GID) and tried
>>> to add a single user via:
>>>
>>> Right click on group -- > click Properties --> then Members -->
>>> click Add --> Search for user --> click Add.
>>>
>>> When I try to go this route (which worked before enabling the
>>> memberOf plugin) it worked. Now it seems I get the error:
>>>
>>> "Cannot save to directory server.
>>> netscape.ldap.LDAPException: error resiult(65): Object class
>>> violation"
>>>
>>> And the messages file throws the error
>>> (/var/log/dirsrv/slapd-<instancename>/errors:
>>>
>>> "Entry "uid=test,ou=People,dc=int,dc=com" -- attribute
"memberOf"
>>> not allowed
>>> [17/Feb/2016:11:22:58 -0700] memberof-plugin -
>>> memberof_postop_modify: failed to add dn
>>> (cn=testgroup,ou=Groups,dc=int,dc=com) to target. Error (65)"
>>>
>>> So it seems my server isn't quite using the memberOf plugin
>>> properly, but I'm not sure what else to enable. I'll have to
>>> solve this issue before
>>> I even try to filter login access via groups on my client system.
>>>
>>>
>>> I should mention that if I go under the advanced tab for one of the
>>> groups I created, I can add the the attribute "uniquemember", but
>>> I'm not sure what I
>>> should set the "value" to be.
>>>
>>> I've tried creating new users to see if I could set their
>>> "uniquemember" attributes, but no luck. It seems that I don't
have
>>> the ability to set this attribute
>>> on individual users, only groups.
>>>
>>> This might not be the right road to head down when trying to
>>> restrict access to servers via groups, so I'm open to any suggestions.
>>>
>>> Any suggestions would be appreciated.
>>> --
>>> 389 users mailing list
>>> 389-users@%(host_name)s
>>>
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
>>>
>> --
>> 389 users mailing list
>> 389-users@%(host_name)s
>>
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
>>
> --
> 389 users mailing list
> 389-users@%(host_name)s
>
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
>
--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org