Hi William,
I would advise that groupOfNames is a "better" option, as
the
functionality of groupOfUniqueNames is subtle and generally not worth
the extra effort. MemberOf and most of our tooling is designed to use
GroupOfNames by default, so perhaps see if that can work for you?
In the default groups will be created with objectclass
"groupofuniquenames" when using the 389 admin console.
How can I configure to switch to "groupofnames" ? Otherwise I can't use
the administration frontend to create groups.
Generally though, I think that it's better to ask "what are
you trying
to achieve". LDAP isn't really designed to "block" and
manage files, as
it would be a performance limit. If you want to do things like
dynamically create home directories you could consider pam_oddjobd or
similar instead.
What we currently using is to create a new user (posixAccount), then
triggering a postcreate shell-script which
* creates NFS home dir
* send mail to HR with some details
* creates mail aliases based on givenname/cn
* ...
I read about the log pipe, but I'd like to have a better implementation.
Anyhow, I was asking myself if there's nothing already existing right now :)
Thanks,
Stefan
Am 11.09.19 um 01:45 schrieb William Brown:
> On 10 Sep 2019, at 22:14, Weigel Stefan <stefan_weigel(a)genua.de> wrote:
>
> Hi,
> I need a little help with two topics:
>
> 1. users should be able to use a simple web frontend to change ldap
> password and manage ssh pubkeys.
> We evaluated Fusion Directory (
https://www.fusiondirectory.org/) for this.
> In Fusion Directory group membership is using groupofnames rather than
> groupofuniquenames used in 389. I played around but can't find a
> solution to fix this. I tried to modify
>
> cn=group,cn=defaultobjectclassescontainer,ou=1.1,ou=admin,ou=global
> preferences,ou=genua.de,o=netscaperoot -> nsDefaultObjectClass from
> groupofuniquenames to groupofnames
>
> and renamed
>
> cn=groupofuniquenames,cn=ResourceEditorExtension,ou=1.1,ou=Admin,ou=Global
> Preferences,ou=genua.de,o=netscaperoot
> to
> cn=groupofnames,cn=ResourceEditorExtension,ou=1.1,ou=Admin,ou=Global
> Preferences,ou=genua.de,o=netscaperoot
>
> but in 389-console it shows me message: uniqueMember is not allowed.
>
> Is it possible to change the default object class of the group? How to
> to do it?
>
> Otherwise could you point me to a simple webgui to edit values?
389 supports both of these in schema:
################################################################################
#
objectClasses: ( 2.5.6.9 NAME 'groupOfNames'
SUP top
STRUCTURAL
MUST ( cn )
MAY ( member $
businessCategory $
seeAlso $
owner $
ou $
o $
description )
X-ORIGIN 'RFC 4519' )
#
################################################################################
#
objectClasses: ( 2.5.6.17 NAME 'groupOfUniqueNames'
SUP top
STRUCTURAL
MUST ( cn )
MAY ( uniqueMember $
businessCategory $
seeAlso $
owner $
ou $
o $
description )
X-ORIGIN 'RFC 4519' )
I would advise that groupOfNames is a "better" option, as the functionality of
groupOfUniqueNames is subtle and generally not worth the extra effort. MemberOf and most
of our tooling is designed to use GroupOfNames by default, so perhaps see if that can work
for you?
>
> 2. When creating a user object under I want to trigger some post actions
> (create directories, copy files, etc.)
> As I understand this should be possible with the plugins. I'm asking
> myself if there's already such a plugin or could you provide me some
> more infos.
You would likely need to develop this. We have had some interest in a dbus plugin that
can notify on changes in the past, but we haven't had serious requests for this in
some time.
Another option is to write an ldap client that uses syncrepl to monitor for changes which
could then trigger actions as required.
Generally though, I think that it's better to ask "what are you trying to
achieve". LDAP isn't really designed to "block" and manage files, as it
would be a performance limit. If you want to do things like dynamically create home
directories you could consider pam_oddjobd or similar instead.
>
>
>
> Thanks in advance,
>
> Stefan
> _______________________________________________
> 389-users mailing list -- 389-users(a)lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
—
Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server
SUSE Labs
_______________________________________________
389-users mailing list -- 389-users(a)lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
--
genua GmbH
Domagkstrasse 7, 85551 Kirchheim bei Muenchen
tel +49 89 991950-0, fax -999,
www.genua.de
Geschaeftsfuehrer: Matthias Ochs, Marc Tesch
Amtsgericht Muenchen HRB 98238
genua ist ein Unternehmen der Bundesdruckerei-Gruppe.