I am about to upgrade our systems to the current version. One of my difficulty's in the old version was the lack of nested groups. Is there a way with the current software to create nested groups in openldap that will be seen properly by the linux PAM module and Mac OSX?
Regards, JD
On 12/10/2012 02:29 PM, Deas, Jim wrote:
I am about to upgrade our systems to the current version. One of my difficulty’s in the old version was the lack of nested groups.
Is there a way with the current software to create nested groups in openldap
Not sure what you mean by "in openldap". Are you using 389 or openldap server?
that will be seen properly by the linux PAM module and Mac OSX?
Regards,
JD
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Fedora-DS is what I am currently using.
-----Original Message----- From: Rich Megginson [mailto:rmeggins@redhat.com] Sent: Monday, December 10, 2012 1:56 PM To: General discussion list for the 389 Directory server project. Cc: Deas, Jim Subject: Re: [389-users] Nested groups ldap to PAM
On 12/10/2012 02:29 PM, Deas, Jim wrote: I am about to upgrade our systems to the current version. One of my difficulty's in the old version was the lack of nested groups. Is there a way with the current software to create nested groups in openldap
Not sure what you mean by "in openldap". Are you using 389 or openldap server?
that will be seen properly by the linux PAM module and Mac OSX?
Regards, JD
--
389 users mailing list
389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org
On 12/10/2012 03:24 PM, Deas, Jim wrote:
Fedora-DS is what I am currently using.
So if you have a group like this:
cn=group1,... member: uid=foo,...
cn=group2,... member: uid=bar,... member: cn=group1,...
And your client queries group2, you want your client to see member: uid=foo,... member: uid=bar,...
without having to read member: cn=group1 and explicitly expand it?
389/Fedora DS can't do this.
-----Original Message----- *From:* Rich Megginson [mailto:rmeggins@redhat.com] *Sent:* Monday, December 10, 2012 1:56 PM *To:* General discussion list for the 389 Directory server project. *Cc:* Deas, Jim *Subject:* Re: [389-users] Nested groups ldap to PAM
On 12/10/2012 02:29 PM, Deas, Jim wrote:
I am about to upgrade our systems to the current version. One of my difficulty’s in the old version was the lack of nested groups.
Is there a way with the current software to create nested groups in openldap
Not sure what you mean by "in openldap". Are you using 389 or openldap server?
that will be seen properly by the linux PAM module and Mac OSX?
Regards,
JD
-- 389 users mailing list 389-users@lists.fedoraproject.org mailto:389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
That is what I have found to date in DS but Mac OSX services does allow this through a mechanism I have yet to explore. It seems like a ripe target for a DS plugin so the PAM modules in each server could remain stock yet take advantage of nested groups. I was hoping that someone already had a schema and a plugin to do this.
-----Original Message----- From: Rich Megginson [mailto:rmeggins@redhat.com] Sent: Monday, December 10, 2012 2:45 PM To: General discussion list for the 389 Directory server project. Cc: Deas, Jim Subject: Re: [389-users] Nested groups ldap to PAM
On 12/10/2012 03:24 PM, Deas, Jim wrote: Fedora-DS is what I am currently using.
So if you have a group like this:
cn=group1,... member: uid=foo,...
cn=group2,... member: uid=bar,... member: cn=group1,...
And your client queries group2, you want your client to see member: uid=foo,... member: uid=bar,...
without having to read member: cn=group1 and explicitly expand it?
389/Fedora DS can't do this.
-----Original Message----- From: Rich Megginson [mailto:rmeggins@redhat.com] Sent: Monday, December 10, 2012 1:56 PM To: General discussion list for the 389 Directory server project. Cc: Deas, Jim Subject: Re: [389-users] Nested groups ldap to PAM
On 12/10/2012 02:29 PM, Deas, Jim wrote: I am about to upgrade our systems to the current version. One of my difficulty's in the old version was the lack of nested groups. Is there a way with the current software to create nested groups in openldap
Not sure what you mean by "in openldap". Are you using 389 or openldap server?
that will be seen properly by the linux PAM module and Mac OSX?
Regards, JD
--
389 users mailing list
389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org
On 12/10/2012 04:17 PM, Deas, Jim wrote:
That is what I have found to date in DS but Mac OSX services does allow this through a mechanism I have yet to explore.
It seems like a ripe target for a DS plugin so the PAM modules in each server could remain stock yet take advantage of nested groups. I was hoping that someone already had a schema and a plugin to do this.
Please file an RFE ticket at https://fedorahosted.org/389/
-----Original Message----- *From:* Rich Megginson [mailto:rmeggins@redhat.com] *Sent:* Monday, December 10, 20122:45 PM *To:* General discussion list for the 389 Directory server project. *Cc:* Deas, Jim *Subject:* Re: [389-users] Nested groups ldap to PAM
On 12/10/2012 03:24 PM, Deas, Jim wrote:
Fedora-DS is what I am currently using.
So if you have a group like this:
cn=group1,... member: uid=foo,...
cn=group2,... member: uid=bar,... member: cn=group1,...
And your client queries group2, you want your client to see member: uid=foo,... member: uid=bar,...
without having to read member: cn=group1 and explicitly expand it?
389/Fedora DS can't do this.
-----Original Message----- *From:* Rich Megginson [mailto:rmeggins@redhat.com] *Sent:* Monday, December 10, 20121:56 PM *To:* General discussion list for the 389 Directory server project. *Cc:* Deas, Jim *Subject:* Re: [389-users] Nested groups ldap to PAM
On 12/10/2012 02:29 PM, Deas, Jim wrote:
I am about to upgrade our systems to the current version. One of my difficulty’s in the old version was the lack of nested groups.
Is there a way with the current software to create nested groups in openldap
Not sure what you mean by "in openldap". Are you using 389 or openldap server?
that will be seen properly by the linux PAM module and Mac OSX?
Regards,
JD
-- 389 users mailing list 389-users@lists.fedoraproject.org mailto:389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@lists.fedoraproject.org mailto:389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
On 12/10/2012 01:29 PM, Deas, Jim wrote:
I am about to upgrade our systems to the current version. One of my difficulty’s in the old version was the lack of nested groups.
Is there a way with the current software to create nested groups in openldap that will be seen properly by the linux PAM module and Mac OSX?
Linux systems with the 'sss' stack (sssd) rather than PADL's nss_ldap and pam_ldap support nested groups if you're using RFC2307bis. In that case, you should be storing "member" attributes rather than "memberuid". https://docs.fedoraproject.org/en-US/Fedora/14/html/Deployment_Guide/chap-SS...
OS X appears to do its own thing, and expects an apple-group-nestedgroup attribute.
389-users@lists.fedoraproject.org