Hi, I need a little help with two topics:
1. users should be able to use a simple web frontend to change ldap password and manage ssh pubkeys. We evaluated Fusion Directory (https://www.fusiondirectory.org/) for this. In Fusion Directory group membership is using groupofnames rather than groupofuniquenames used in 389. I played around but can't find a solution to fix this. I tried to modify
cn=group,cn=defaultobjectclassescontainer,ou=1.1,ou=admin,ou=global preferences,ou=genua.de,o=netscaperoot -> nsDefaultObjectClass from groupofuniquenames to groupofnames
and renamed
cn=groupofuniquenames,cn=ResourceEditorExtension,ou=1.1,ou=Admin,ou=Global Preferences,ou=genua.de,o=netscaperoot to cn=groupofnames,cn=ResourceEditorExtension,ou=1.1,ou=Admin,ou=Global Preferences,ou=genua.de,o=netscaperoot
but in 389-console it shows me message: uniqueMember is not allowed.
Is it possible to change the default object class of the group? How to to do it?
Otherwise could you point me to a simple webgui to edit values?
2. When creating a user object under I want to trigger some post actions (create directories, copy files, etc.) As I understand this should be possible with the plugins. I'm asking myself if there's already such a plugin or could you provide me some more infos.
Thanks in advance,
Stefan
On 10 Sep 2019, at 22:14, Weigel Stefan stefan_weigel@genua.de wrote:
Hi, I need a little help with two topics:
- users should be able to use a simple web frontend to change ldap
password and manage ssh pubkeys. We evaluated Fusion Directory (https://www.fusiondirectory.org/) for this. In Fusion Directory group membership is using groupofnames rather than groupofuniquenames used in 389. I played around but can't find a solution to fix this. I tried to modify
cn=group,cn=defaultobjectclassescontainer,ou=1.1,ou=admin,ou=global preferences,ou=genua.de,o=netscaperoot -> nsDefaultObjectClass from groupofuniquenames to groupofnames
and renamed
cn=groupofuniquenames,cn=ResourceEditorExtension,ou=1.1,ou=Admin,ou=Global Preferences,ou=genua.de,o=netscaperoot to cn=groupofnames,cn=ResourceEditorExtension,ou=1.1,ou=Admin,ou=Global Preferences,ou=genua.de,o=netscaperoot
but in 389-console it shows me message: uniqueMember is not allowed.
Is it possible to change the default object class of the group? How to to do it?
Otherwise could you point me to a simple webgui to edit values?
389 supports both of these in schema:
################################################################################ # objectClasses: ( 2.5.6.9 NAME 'groupOfNames' SUP top STRUCTURAL MUST ( cn ) MAY ( member $ businessCategory $ seeAlso $ owner $ ou $ o $ description ) X-ORIGIN 'RFC 4519' ) # ################################################################################ # objectClasses: ( 2.5.6.17 NAME 'groupOfUniqueNames' SUP top STRUCTURAL MUST ( cn ) MAY ( uniqueMember $ businessCategory $ seeAlso $ owner $ ou $ o $ description ) X-ORIGIN 'RFC 4519' )
I would advise that groupOfNames is a "better" option, as the functionality of groupOfUniqueNames is subtle and generally not worth the extra effort. MemberOf and most of our tooling is designed to use GroupOfNames by default, so perhaps see if that can work for you?
- When creating a user object under I want to trigger some post actions
(create directories, copy files, etc.) As I understand this should be possible with the plugins. I'm asking myself if there's already such a plugin or could you provide me some more infos.
You would likely need to develop this. We have had some interest in a dbus plugin that can notify on changes in the past, but we haven't had serious requests for this in some time.
Another option is to write an ldap client that uses syncrepl to monitor for changes which could then trigger actions as required.
Generally though, I think that it's better to ask "what are you trying to achieve". LDAP isn't really designed to "block" and manage files, as it would be a performance limit. If you want to do things like dynamically create home directories you could consider pam_oddjobd or similar instead.
Thanks in advance,
Stefan _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
— Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server SUSE Labs
Hi William,
I would advise that groupOfNames is a "better" option, as the
functionality of groupOfUniqueNames is subtle and generally not worth the extra effort. MemberOf and most of our tooling is designed to use GroupOfNames by default, so perhaps see if that can work for you?
In the default groups will be created with objectclass "groupofuniquenames" when using the 389 admin console. How can I configure to switch to "groupofnames" ? Otherwise I can't use the administration frontend to create groups.
Generally though, I think that it's better to ask "what are you trying
to achieve". LDAP isn't really designed to "block" and manage files, as it would be a performance limit. If you want to do things like dynamically create home directories you could consider pam_oddjobd or similar instead.
What we currently using is to create a new user (posixAccount), then triggering a postcreate shell-script which
* creates NFS home dir * send mail to HR with some details * creates mail aliases based on givenname/cn * ...
I read about the log pipe, but I'd like to have a better implementation. Anyhow, I was asking myself if there's nothing already existing right now :)
Thanks,
Stefan
Am 11.09.19 um 01:45 schrieb William Brown:
On 10 Sep 2019, at 22:14, Weigel Stefan stefan_weigel@genua.de wrote:
Hi, I need a little help with two topics:
- users should be able to use a simple web frontend to change ldap
password and manage ssh pubkeys. We evaluated Fusion Directory (https://www.fusiondirectory.org/) for this. In Fusion Directory group membership is using groupofnames rather than groupofuniquenames used in 389. I played around but can't find a solution to fix this. I tried to modify
cn=group,cn=defaultobjectclassescontainer,ou=1.1,ou=admin,ou=global preferences,ou=genua.de,o=netscaperoot -> nsDefaultObjectClass from groupofuniquenames to groupofnames
and renamed
cn=groupofuniquenames,cn=ResourceEditorExtension,ou=1.1,ou=Admin,ou=Global Preferences,ou=genua.de,o=netscaperoot to cn=groupofnames,cn=ResourceEditorExtension,ou=1.1,ou=Admin,ou=Global Preferences,ou=genua.de,o=netscaperoot
but in 389-console it shows me message: uniqueMember is not allowed.
Is it possible to change the default object class of the group? How to to do it?
Otherwise could you point me to a simple webgui to edit values?
389 supports both of these in schema:
################################################################################ # objectClasses: ( 2.5.6.9 NAME 'groupOfNames' SUP top STRUCTURAL MUST ( cn ) MAY ( member $ businessCategory $ seeAlso $ owner $ ou $ o $ description ) X-ORIGIN 'RFC 4519' ) # ################################################################################ # objectClasses: ( 2.5.6.17 NAME 'groupOfUniqueNames' SUP top STRUCTURAL MUST ( cn ) MAY ( uniqueMember $ businessCategory $ seeAlso $ owner $ ou $ o $ description ) X-ORIGIN 'RFC 4519' )
I would advise that groupOfNames is a "better" option, as the functionality of groupOfUniqueNames is subtle and generally not worth the extra effort. MemberOf and most of our tooling is designed to use GroupOfNames by default, so perhaps see if that can work for you?
- When creating a user object under I want to trigger some post actions
(create directories, copy files, etc.) As I understand this should be possible with the plugins. I'm asking myself if there's already such a plugin or could you provide me some more infos.
You would likely need to develop this. We have had some interest in a dbus plugin that can notify on changes in the past, but we haven't had serious requests for this in some time.
Another option is to write an ldap client that uses syncrepl to monitor for changes which could then trigger actions as required.
Generally though, I think that it's better to ask "what are you trying to achieve". LDAP isn't really designed to "block" and manage files, as it would be a performance limit. If you want to do things like dynamically create home directories you could consider pam_oddjobd or similar instead.
Thanks in advance,
Stefan _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
— Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server SUSE Labs _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
389-users@lists.fedoraproject.org