-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 05/09/2013 09:58 AM, Wojtak, Greg (Superfly) wrote:
Thanks for the help. Would a similar solution be to set the
ldap_access_filter to (&(cn=unix team,Š)(cn=server1access,...))
with the server1access group containing the member's dn's? The
reason I ask this is so that we can avoid having to assign
gidnumbers to these groups?
This won't work because the user will only have one or the other
memberOf attribute. You *could* do:
ldap_access_filter(|(memberOf=cn=unix
time...)(memberOf=cn=server1access...))
(note the OR there). But the problem with this is that you will need
to update your client configuration manually any time a new group is
added to the nesting. That's why I'd recommend just assigning POSIX
attributes and using the simple access provider.
Also, feel free to open an RFE to request a nested-non-POSIX access
provider extension for LDAP in our bug tracker at
https://fedorahosted.org/sssd
You're not the first person to ask for it, but it's trickier than you
might expect to get it right.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird -
http://www.enigmail.net/
iEYEARECAAYFAlGLrjgACgkQeiVVYja6o6MRqACgiIhdn+/bJVTGswLFU+gznsUE
BPYAoJ8q0ACOair18Eof2ICPdEb+TdHF
=w7NP
-----END PGP SIGNATURE-----