Hello,
So far I have been managed to do some setup of 389 server, thanks to prompt community.
Now, I am having some trouble in getting the MemberOf plugin work for 389-ds-base-1.2.11.15-11. When I add a user into a group, the memberOf attribute is not being added to the user entry.
While googling a bit I came across an older post of this group
http://www.redhat.com/archives/fedora-directory-users/2009-December/msg00165...
based on that, I checked dse.ldif and the Plugin configuration also looks good.
dn: cn=MemberOf Plugin,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: MemberOf Plugin nsslapd-pluginPath: libmemberof-plugin nsslapd-pluginInitfunc: memberof_postop_init nsslapd-pluginType: postoperation nsslapd-pluginEnabled: on nsslapd-plugin-depends-on-type: database memberofgroupattr: uniqueMember memberofattr: memberOf nsslapd-pluginId: memberof nsslapd-pluginVersion: 1.2.11.15 nsslapd-pluginVendor: 389 Project nsslapd-pluginDescription: memberof plugin modifiersName: cn=directory manager modifyTimestamp: 20130322162350Z
The way I am adding users :
dn: uid=chandank,ou=People,dc=ma,dc=net objectclass: person objectclass: inetorgperson objectclass: posixAccount cn: Chandan sn: k givenName: chandank uid:chandank uidNumber:5006 gidNumber:5006 objectclass: mepOriginEntry mepManagedEntry: cn=chandank homeDirectory: /home/chandank loginShell: /bin/bash
The way I am adding them into a group:
dn: cn=sys,ou=Groups,dc=ma,dc=net changetype: modify add: uniqueMember uniqueMember: uid=chandank,ou=People,dc=ma,dc=net
And after I have added the user I am expecting an MemberOf attribute entry in the user entry itself. I am not sure whether it is the right way to do so.
For the records: Having MemberOf attribute in the user entry would allow me use ldap Access filters in sssd.conf file eg. "ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com" and hence will be able to restrict users from login on different systems.
Thanks Chandan
On 03/22/2013 11:06 AM, Chandan Kumar wrote:
Hello,
So far I have been managed to do some setup of 389 server, thanks to prompt community.
Now, I am having some trouble in getting the MemberOf plugin work for 389-ds-base-1.2.11.15-11. When I add a user into a group, the memberOf attribute is not being added to the user entry.
While googling a bit I came across an older post of this group
http://www.redhat.com/archives/fedora-directory-users/2009-December/msg00165...
based on that, I checked dse.ldif and the Plugin configuration also looks good.
Too bad that google didn't send you here: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/...
Specifically: "6.1.4.2. Object Classes Which Support memberof Attributes The most common people object classes — such as inetorgperson and person — do not allow the memberOf attribute. To allow the MemberOf Plug-in to add the memberOf attribute to a user entry, make sure that that entry belongs to the inetUser object class, which does allow the memberOf attribute."
Even in the link you posted: " objectClass: shadowaccount objectClass: inetuser physicalDeliveryOfficeName: Kennebunk ... "
dn: cn=MemberOf Plugin,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: MemberOf Plugin nsslapd-pluginPath: libmemberof-plugin nsslapd-pluginInitfunc: memberof_postop_init nsslapd-pluginType: postoperation nsslapd-pluginEnabled: on nsslapd-plugin-depends-on-type: database memberofgroupattr: uniqueMember memberofattr: memberOf nsslapd-pluginId: memberof nsslapd-pluginVersion: 1.2.11.15 nsslapd-pluginVendor: 389 Project nsslapd-pluginDescription: memberof plugin modifiersName: cn=directory manager modifyTimestamp: 20130322162350Z
The way I am adding users :
dn: uid=chandank,ou=People,dc=ma,dc=net objectclass: person objectclass: inetorgperson objectclass: posixAccount cn: Chandan sn: k givenName: chandank uid:chandank uidNumber:5006 gidNumber:5006 objectclass: mepOriginEntry mepManagedEntry: cn=chandank homeDirectory: /home/chandank loginShell: /bin/bash
The way I am adding them into a group:
dn: cn=sys,ou=Groups,dc=ma,dc=net changetype: modify add: uniqueMember uniqueMember: uid=chandank,ou=People,dc=ma,dc=net
And after I have added the user I am expecting an MemberOf attribute entry in the user entry itself. I am not sure whether it is the right way to do so.
For the records: Having MemberOf attribute in the user entry would allow me use ldap Access filters in sssd.conf file eg. "ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com" and hence will be able to restrict users from login on different systems.
Thanks Chandan
--
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Hi Rich,
ops! my bad. Thank you so much for pointing that out. Now I could see MemberOf attribute in my user entries.
Thanks again!
--Chandan
On Friday, March 22, 2013, Rich Megginson wrote:
On 03/22/2013 11:06 AM, Chandan Kumar wrote:
Hello,
So far I have been managed to do some setup of 389 server, thanks to prompt community.
Now, I am having some trouble in getting the MemberOf plugin work for 389-ds-base-1.2.11.15-11. When I add a user into a group, the memberOf attribute is not being added to the user entry.
While googling a bit I came across an older post of this group
http://www.redhat.com/archives/fedora-directory-users/2009-December/msg00165...
based on that, I checked dse.ldif and the Plugin configuration also looks good.
Too bad that google didn't send you here:
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/...
Specifically: "6.1.4.2. Object Classes Which Support memberof Attributes The most common people object classes — such as inetorgperson and person — do not allow the memberOf attribute. To allow the MemberOf Plug-in to add the memberOf attribute to a user entry, make sure that that entry belongs to the inetUser object class, which does allow the memberOf attribute."
Even in the link you posted: " objectClass: shadowaccount objectClass: inetuser physicalDeliveryOfficeName: Kennebunk ... "
dn: cn=MemberOf Plugin,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: MemberOf Plugin nsslapd-pluginPath: libmemberof-plugin nsslapd-pluginInitfunc: memberof_postop_init nsslapd-pluginType: postoperation nsslapd-pluginEnabled: on nsslapd-plugin-depends-on-type: database memberofgroupattr: uniqueMember memberofattr: memberOf nsslapd-pluginId: memberof nsslapd-pluginVersion: 1.2.11.15 nsslapd-pluginVendor: 389 Project nsslapd-pluginDescription: memberof plugin modifiersName: cn=directory manager modifyTimestamp: 20130322162350Z
The way I am adding users :
dn: uid=chandank,ou=People,dc=ma,dc=net objectclass: person objectclass: inetorgperson objectclass: posixAccount cn: Chandan sn: k givenName: chandank uid:chandank uidNumber:5006 gidNumber:5006 objectclass: mepOriginEntry mepManagedEntry: cn=chandank homeDirectory: /home/chandank loginShell: /bin/bash
The way I am adding them into a group:
dn: cn=sys,ou=Groups,dc=ma,dc=net changetype: modify add: uniqueMember uniqueMember: uid=chandank,ou=People,dc=ma,dc=net
And after I have added the user I am expecting an MemberOf attribute entry in the user entry itself. I am not sure whether it is the right way to do so.
For the records: Having MemberOf attribute in the user entry would allow me use ldap Access filters in sssd.conf file eg. "ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com" and hence will be able to restrict users from login on different systems.
Thanks Chandan
--
-- 389 users mailing list389-users@lists.fedoraproject.org <javascript:_e({}, 'cvml', '389-users@lists.fedoraproject.org');>https://admin.fedoraproject.org/mailman/listinfo/389-users
Hello,
I have two questions on same line, and these answers will be very helpful.
1)
The MemberOf plugin works wonderful using SSSD at client side, however, is it possible to have the same kind of Control at the Server side?
I mean, could I have the ability to control user's Authentication on a Host machine based on it's group or other parameter very much the same way that now I am doing with memberOf/sssd.conf at the Host Machine.
2)
I know this is not IPA group, in case someone knows. Does IPA supports that feature at the server side? or using sssd.conf at the host machine?
Any pointers to RTFM would also be helpful. :-)
Thanks Chandan
On Friday, March 22, 2013, Chandan Kumar wrote:
Hi Rich,
ops! my bad. Thank you so much for pointing that out. Now I could see MemberOf attribute in my user entries.
Thanks again!
--Chandan
On Friday, March 22, 2013, Rich Megginson wrote:
On 03/22/2013 11:06 AM, Chandan Kumar wrote:
Hello,
So far I have been managed to do some setup of 389 server, thanks to prompt community.
Now, I am having some trouble in getting the MemberOf plugin work for 389-ds-base-1.2.11.15-11. When I add a user into a group, the memberOf attribute is not being added to the user entry.
While googling a bit I came across an older post of this group
http://www.redhat.com/archives/fedora-directory-users/2009-December/msg00165...
based on that, I checked dse.ldif and the Plugin configuration also looks good.
Too bad that google didn't send you here:
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/...
Specifically: "6.1.4.2. Object Classes Which Support memberof Attributes The most common people object classes — such as inetorgperson and person — do not allow the memberOf attribute. To allow the MemberOf Plug-in to add the memberOf attribute to a user entry, make sure that that entry belongs to the inetUser object class, which does allow the memberOf attribute."
Even in the link you posted: " objectClass: shadowaccount objectClass: inetuser physicalDeliveryOfficeName: Kennebunk ... "
dn: cn=MemberOf Plugin,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: MemberOf Plugin nsslapd-pluginPath: libmemberof-plugin nsslapd-pluginInitfunc: memberof_postop_init nsslapd-pluginType: postoperation nsslapd-pluginEnabled: on nsslapd-plugin-depends-on-type: database memberofgroupattr: uniqueMember memberofattr: memberOf nsslapd-pluginId: memberof nsslapd-pluginVersion: 1.2.11.15 nsslapd-pluginVendor: 389 Project nsslapd-pluginDescription: memberof plugin modifiersName: cn=directory manager modifyTimestamp: 20130322162350Z
The way I am adding users :
dn: uid=chandank,ou=People,dc=ma,dc=net objectclass: person objectclass: inetorgperson objectclass: posixAccount cn: Chandan sn: k givenName: chandank uid:chandank uidNumber:5006 gidNumber:5006 objectclass: mepOriginEntry mepManagedEntry: cn=chandank homeDirectory: /home/chandank loginShell: /bin/bash
The way I am adding them into a group:
dn: cn=sys,ou=Groups,dc=ma,dc=net changetype: modify add: uniqueMember uniqueMember: uid=chandank,ou=People,dc=ma,dc=net
And after I have added the user I am expecting an MemberOf attribute entry in the user entry itself. I am not sure whether it is the right way to do so.
For the records: Having MemberOf attribute in the user entry would allow me use ldap Access filters in sssd.conf file eg. "ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com" and hence will be able to restrict users from login on different systems.
Thanks Chandan
--
On 03/27/2013 09:55 AM, Chandan Kumar wrote:
Hello,
I have two questions on same line, and these answers will be very helpful.
The MemberOf plugin works wonderful using SSSD at client side, however, is it possible to have the same kind of Control at the Server side?
I mean, could I have the ability to control user's Authentication on a Host machine based on it's group or other parameter very much the same way that now I am doing with memberOf/sssd.conf at the Host Machine.
Not exactly - http://port389.org/wiki/Howto:Netgroups
I know this is not IPA group, in case someone knows. Does IPA supports that feature at the server side? or using sssd.conf at the host machine?
Any pointers to RTFM would also be helpful. :-)
Thanks Chandan
On Friday, March 22, 2013, Chandan Kumar wrote:
Hi Rich, ops! my bad. Thank you so much for pointing that out. Now I could see MemberOf attribute in my user entries. Thanks again! --Chandan On Friday, March 22, 2013, Rich Megginson wrote: On 03/22/2013 11:06 AM, Chandan Kumar wrote:
Hello, So far I have been managed to do some setup of 389 server, thanks to prompt community. Now, I am having some trouble in getting the MemberOf plugin work for 389-ds-base-1.2.11.15-11. When I add a user into a group, the memberOf attribute is not being added to the user entry. While googling a bit I came across an older post of this group http://www.redhat.com/archives/fedora-directory-users/2009-December/msg00165.html based on that, I checked dse.ldif and the Plugin configuration also looks good.
Too bad that google didn't send you here: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Advanced_Entry_Management.html#groups-cmd-memberof Specifically: "6.1.4.2. Object Classes Which Support memberof Attributes The most common people object classes — such as inetorgperson and person — do not allow the memberOf attribute. To allow the MemberOf Plug-in to add the memberOf attribute to a user entry, make sure that that entry belongs to the inetUser object class, which does allow the memberOf attribute." Even in the link you posted: " objectClass: shadowaccount objectClass: inetuser physicalDeliveryOfficeName: Kennebunk ... "
dn: cn=MemberOf Plugin,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: MemberOf Plugin nsslapd-pluginPath: libmemberof-plugin nsslapd-pluginInitfunc: memberof_postop_init nsslapd-pluginType: postoperation nsslapd-pluginEnabled: on nsslapd-plugin-depends-on-type: database memberofgroupattr: uniqueMember memberofattr: memberOf nsslapd-pluginId: memberof nsslapd-pluginVersion: 1.2.11.15 nsslapd-pluginVendor: 389 Project nsslapd-pluginDescription: memberof plugin modifiersName: cn=directory manager modifyTimestamp: 20130322162350Z The way I am adding users : dn: uid=chandank,ou=People,dc=ma,dc=net objectclass: person objectclass: inetorgperson objectclass: posixAccount cn: Chandan sn: k givenName: chandank uid:chandank uidNumber:5006 gidNumber:5006 objectclass: mepOriginEntry mepManagedEntry: cn=chandank homeDirectory: /home/chandank loginShell: /bin/bash The way I am adding them into a group: dn: cn=sys,ou=Groups,dc=ma,dc=net changetype: modify add: uniqueMember uniqueMember: uid=chandank,ou=People,dc=ma,dc=net And after I have added the user I am expecting an MemberOf attribute entry in the user entry itself. I am not sure whether it is the right way to do so. For the records: Having MemberOf attribute in the user entry would allow me use ldap Access filters in sssd.conf file eg. "ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com" and hence will be able to restrict users from login on different systems. Thanks Chandan
-- -- http://about.me/chandank
--
389-users@lists.fedoraproject.org