[389-users] Membership of Roles
Andy
racingyacht1 at gmail.com
Thu Sep 5 14:32:54 UTC 2013
I haven't been able to get membership of groups to work in either Liferay or
blog system. The error has to be with my setup groups or the memberOf
plugin. All users have objectclass inetUser. I enabled the memberOf plugin
before creating the test group, and also ran the fixup script when I found
that the group was not working.
Interestingly the blog system recognizes groups that were part of the
initial installation of 389. The group that I need to recognise
uniquemembers for is the group I created call blogEditorGroup.
Screenshot from blog system test of communications with ldap. Note the group
= blogEditorGroup, does not recognise any of the three members created for
the test.
Search Result (max 10 entries)
Group Name
Group Fullname
Group Member
Directory Administrators
Directory Administrators
cn=Directory Manager
Accounting Managers
Accounting Managers
cn=Directory Manager
HR Managers
HR Managers
cn=Directory Manager
QA Managers
QA Managers
cn=Directory Manager
PD Managers
PD Managers
cn=Directory Manager
blogEditorsGroup
blogEditorsGroup
Access log:
[05/Sep/2013:15:15:52 +0100] conn=11 op=0 RESULT err=0 tag=97 nentries=0
etime=0 dn="cn=directory manager"
[05/Sep/2013:15:15:52 +0100] conn=11 op=1 SRCH base="dc=xxxx,dc=com" scope=2
filter="(&(objectClass=groupOfUniqueNames))" attrs="nsUniqueId cn cn
uniqueMember"
[05/Sep/2013:15:15:52 +0100] conn=11 op=1 RESULT err=0 tag=101 nentries=6
etime=0
[05/Sep/2013:15:15:52 +0100] conn=11 op=2 SRCH base="dc=xxxx,dc=com" scope=2
filter="(objectClass=*)" attrs="uid mail cn memberUid"
[05/Sep/2013:15:15:52 +0100] conn=11 op=2 RESULT err=4 tag=101 nentries=10
etime=0 notes=U
[05/Sep/2013:15:15:52 +0100] conn=11 op=3 SRCH base="dc=xxxx,dc=com" scope=2
filter="(|(uniqueMember=))" attrs="cn cn"
[05/Sep/2013:15:15:52 +0100] conn=11 op=3 RESULT err=0 tag=101 nentries=0
etime=0
[05/Sep/2013:15:15:52 +0100] conn=11 op=4 SRCH base="dc=xxxx,dc=com" scope=2
filter="(|(uniqueMember=))" attrs="cn cn"
[05/Sep/2013:15:15:52 +0100] conn=11 op=4 RESULT err=0 tag=101 nentries=0
etime=0
[05/Sep/2013:15:15:52 +0100] conn=11 op=5 SRCH base="dc=xxxx,dc=com" scope=2
filter="(|(uniqueMember=))" attrs="cn cn"
[05/Sep/2013:15:15:52 +0100] conn=11 op=5 RESULT err=0 tag=101 nentries=0
etime=0
[05/Sep/2013:15:15:52 +0100] conn=11 op=6 SRCH base="dc=xxxx,dc=com" scope=2
filter="(|(uniqueMember=))" attrs="cn cn"
[05/Sep/2013:15:15:52 +0100] conn=11 op=6 RESULT err=0 tag=101 nentries=0
etime=0
[05/Sep/2013:15:15:52 +0100] conn=11 op=7 SRCH base="dc=xxxx,dc=com" scope=2
filter="(|(uniqueMember=))" attrs="cn cn"
[05/Sep/2013:15:15:52 +0100] conn=11 op=7 RESULT err=0 tag=101 nentries=0
etime=0
[05/Sep/2013:15:15:52 +0100] conn=11 op=8 SRCH base="dc=xxxx,dc=com" scope=2
filter="(|(uniqueMember=))" attrs="cn cn"
[05/Sep/2013:15:15:52 +0100] conn=11 op=8 RESULT err=0 tag=101 nentries=0
etime=0
[05/Sep/2013:15:15:52 +0100] conn=11 op=9 SRCH base="dc=xxxx,dc=com" scope=2
filter="(|(uniqueMember=))" attrs="cn cn"
[05/Sep/2013:15:15:52 +0100] conn=11 op=9 RESULT err=0 tag=101 nentries=0
etime=0
[05/Sep/2013:15:15:52 +0100] conn=11 op=10 SRCH base="dc=xxxx,dc=com"
scope=2 filter="(|(uniqueMember=))" attrs="cn cn"
[05/Sep/2013:15:15:52 +0100] conn=11 op=10 RESULT err=0 tag=101 nentries=0
etime=0
[05/Sep/2013:15:15:52 +0100] conn=11 op=11 SRCH base="dc=xxxx,dc=com"
scope=2 filter="(|(uniqueMember=))" attrs="cn cn"
[05/Sep/2013:15:15:52 +0100] conn=11 op=11 RESULT err=0 tag=101 nentries=0
etime=0
[05/Sep/2013:15:15:52 +0100] conn=11 op=12 SRCH base="dc=xxxx,dc=com"
scope=2 filter="(|(uniqueMember=))" attrs="cn cn"
[05/Sep/2013:15:15:52 +0100] conn=11 op=12 RESULT err=0 tag=101 nentries=0
etime=0
[05/Sep/2013:15:15:52 +0100] conn=11 op=-1 fd=67 closed - B1
[05/Sep/2013:15:17:12 +0100] conn=12 fd=67 slot=67 connection from
192.168.20.38 to 192.168.20.28
[05/Sep/2013:15:17:12 +0100] conn=12 op=0 BIND dn="cn=Directory Manager"
method=128 version=3
[05/Sep/2013:15:17:12 +0100] conn=12 op=0 RESULT err=0 tag=97 nentries=0
etime=0 dn="cn=directory manager"
[05/Sep/2013:15:17:12 +0100] conn=12 op=1 SRCH base="dc=xxxx,dc=com" scope=2
filter="(objectClass=inetOrgPerson)" attrs="cn"
[05/Sep/2013:15:17:12 +0100] conn=12 op=1 RESULT err=0 tag=101 nentries=4
etime=0 notes=P
[05/Sep/2013:15:17:12 +0100] conn=12 op=2 SRCH base="cn=Test
user1+uid=100001,ou=People,dc=xxxx,dc=com" scope=0 filter="(objectClass=*)"
attrs="uid cn mail cn nsRole title givenName userPassword sn creatorsName
createTimestamp modifiersName modifyTimestamp"
[05/Sep/2013:15:17:12 +0100] conn=12 op=2 RESULT err=0 tag=101 nentries=1
etime=0
[05/Sep/2013:15:17:12 +0100] conn=12 op=3 SRCH
base="uid=100000001,ou=People,dc=xxxx,dc=com" scope=0
filter="(objectClass=*)" attrs="uid cn mail cn nsRole title givenName
userPassword sn creatorsName createTimestamp modifiersName modifyTimestamp"
[05/Sep/2013:15:17:12 +0100] conn=12 op=3 RESULT err=0 tag=101 nentries=1
etime=0
[05/Sep/2013:15:17:12 +0100] conn=12 op=4 SRCH
base="uid=100002,ou=People,dc=xxxx,dc=com" scope=0 filter="(objectClass=*)"
attrs="uid cn mail cn nsRole title givenName userPassword sn creatorsName
createTimestamp modifiersName modifyTimestamp"
[05/Sep/2013:15:17:12 +0100] conn=12 op=4 RESULT err=0 tag=101 nentries=1
etime=0
[05/Sep/2013:15:17:12 +0100] conn=12 op=5 SRCH
base="uid=100003,ou=People,dc=xxxx,dc=com" scope=0 filter="(objectClass=*)"
attrs="uid cn mail cn nsRole title givenName userPassword sn creatorsName
createTimestamp modifiersName modifyTimestamp"
[05/Sep/2013:15:17:12 +0100] conn=12 op=5 RESULT err=0 tag=101 nentries=1
etime=0
From: Andy [mailto:racingyacht1 at gmail.com]
Sent: 03 September 2013 22:23
To: 'General discussion list for the 389 Directory server project.'
Subject: RE: [389-users] Membership of Roles
Jonathan,
That could be the root of the groups issue. I enabled the memberOf plugin
after creating the groups and users.
I will be testing in a few minutes.
From: 389-users-bounces at lists.fedoraproject.org
[mailto:389-users-bounces at lists.fedoraproject.org] On Behalf Of Jonathan
Vaughn
Sent: 03 September 2013 22:02
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Membership of Roles
If you had your users and groups created before enabling memberOf, you'll
need to modify their group membership (per user, easiest would be to add all
to a temporary group then remove the group after memberOf populates) to
trigger memberOf creation. It only gets set on changes, and won't
autogenerate for existing memberships until a change occurs. It WILL
regenerate all memberships even if you change just one, so you can just
throw everyone into a group as I said to trigger it. There was a script in
some FDS / 389DS howto someplace that was supposed to background trigger it,
but I never got it to work.
On Tue, Sep 3, 2013 at 3:47 PM, Andy <racingyacht1 at gmail.com> wrote:
Hi Rich,
I had added the inetUser objectclass on the test cases of groups that
failed. I was wondering if I had incorrectly configured arguments of the
memberOf plugin. I will read the documentation again.
I should be done rebuilding my instance of 389 in an hour or so.
From: Rich Megginson [mailto:rmeggins at redhat.com]
Sent: 03 September 2013 20:47
To: Andy
Cc: 'General discussion list for the 389 Directory server project.'
Subject: Re: [389-users] Membership of Roles
On 09/03/2013 01:22 PM, Andy wrote:
Hi Rich,
I am having the same problem with groups, so I am wondering if I have groups
configured correctly. Especially the configuration of the memberOf plugin.
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/
9.0/html/Administration_Guide/Advanced_Entry_Management.html#groups-cmd-memb
erof
Especially this part:
6.1.4.2. Object Classes Which Support memberof Attributes
The most common people object classes - such as inetorgperson and person -
do not allow the memberOf attribute. To allow the MemberOf Plug-in to add
the memberOf attribute to a user entry, make sure that that entry belongs to
the inetUser object class, which does allow the memberOf attribute.
Similarly, if an attribute other than memberOf is used in the user entry,
then make sure that the user entry belongs to an object class that allows
that attribute.
I'm in the process of reconfiguring my instance of ldap, as it was
misbehaving after I tried out various configuration to get roles and groups
to work.
From: Rich Megginson [mailto:rmeggins at redhat.com]
Sent: 03 September 2013 14:48
To: General discussion list for the 389 Directory server project.
Cc: Andy
Subject: Re: [389-users] Membership of Roles
On 09/01/2013 05:50 AM, Andy wrote:
Please find additional information on the configuration of the blog system
My configuration:
AuthenticationModule LDAP
LDAPAuthURL ldap://xxxxx:389/dc=xxxx,dc=com?mail
LDAPAuthBindDN cn=Directory Manager (will replace with application user
account once phase one integration is completed)
LDAPAuthPassword xxxxxx
LDAPAuthSASLMechanism PLAIN (note SSL not yet configured)
ExternalUserManagement 1
ExternalGroupManagement 1
ExternalUserSyncFrequency 60
LDAPGroupNameAttribute cn
LDAPGroupIdAttribute nsUniqueId
LDAPGroupFullNameAttribute cn
LDAPGroupMemberAttribute memberof
LDAPGroupSearchBase ou=customers,dc=xxx,dc=com
LDAPGroupFilter (objectclass=ldapSubEntry)
LDAPUserIdAttribute uid
LDAPUserEmailAttribute mail
LDAPUserFullNameAttribute cn
LDAPUserGroupMemberAttribute nsrole
I think this is going to be problematic, and may not work at all. With
groups, there is an actual group entry, which lists all of the members.
With roles, the role entry does not list all of the members. So a query
like
SRCH base="ou=customers,dc=xxxx,dc=com" scope=2
filter="(&(|(member=cn=xxxxrolecommentertest,ou=customers,dc=xxxx,dc=com))(o
bjectClass=ldapSubEntry))"
will not work because there is no role entry which lists it's members in a
"member" attribute.
If you can configure it to search all of the users, you might be able to do
a search like
SRCH base="ou=customers,dc=xxxx,dc=com" scope=2
filter="(nsRole=cn=xxxxrolecommentertest,ou=customers,dc=xxxx,dc=com)"
Roles will automatically populate each user's entry with the nsRole
attribute. This attribute lists all of the roles to which that user
belongs. nsRole is an operational attribute, so you must explicitly request
it on the command line if you want to see it (e.g. in an ldapsearch
command).
The default settings for OpenLDAP installations are:
Stage 1
Authentication URL
ldap://<FQDN of LDAP server>:389/dc=xxxx,dc=com?mail
Authentication DN
Authentication Password
Password
Test Username
Test email address
Test Password
Password for test user
Stage 2
Group Search Base Attribute
dc=xxx,dc=com
Group Filter Attribute
(objectClass=groupOfUniqueNames)
Attributes
OpenLDAP
User ID Attribute
entryUUID
Email Attribute
mail
User Fullname Attribute
cn
User Member Attribute
uid
GroupID Attribute
entryUUID
Group Name Attribute
cn
Group Fullname Attribute
cn
Group Member Attribute
memberUid
From: Andy [mailto:racingyacht1 at gmail.com]
Sent: 31 August 2013 13:43
To: '389-users at lists.fedoraproject.org'
Subject: Membership of Roles
Hello
I am testing integration of 389-ds with a blogging system. I plan to use
roles instead of groups to automatically give users rights to service on the
blog system. However, I am having problems with the system identifying
members of roles. I need help with defining the correct search parameters to
identify which roles a uid or cn is a member of.
>From within the blog system I'm using LDAPGroupFilter
(objectclass=ldapSubEntry) to list the roles. The roles list correctly as
groups within the blog system.
>From within 389 the members of roles are configured as filtered, and I can
see the configured members using the Directory Server GUI.
The blog system is not identifying members of roles when it does its search
against 389. Note, users can log into the blog system using the accounts
created on 389. I don't think I am applying the correct search criteria to
identify group membership. I need advice on creation of the correct search
criteria for membership of roles/groups.
Sample log from access
[31/Aug/2013:11:09:39 +0100] conn=265 op=0 BIND dn="cn=Directory Manager"
method=128 version=3
[31/Aug/2013:11:09:39 +0100] conn=265 op=0 RESULT err=0 tag=97 nentries=0
etime=0 dn="cn=directory manager"
[31/Aug/2013:11:09:39 +0100] conn=265 op=1 SRCH base="dc=xxxx,dc=com"
scope=2 filter="(&(mail=testuser16 at xxxx.com)(objectClass=*))
<mailto:mail=testuser16 at xxxx.com%29%28objectClass=*%29%29> "
attrs="distinguishedName"
[31/Aug/2013:11:09:39 +0100] conn=265 op=1 RESULT err=0 tag=101 nentries=1
etime=0
[31/Aug/2013:11:09:39 +0100] conn=265 op=2 BIND
dn="uid=1000016,ou=Customers,dc=xxxx,dc=com" method=128 version=3
[31/Aug/2013:11:09:39 +0100] conn=265 op=2 RESULT err=0 tag=97 nentries=0
etime=0 dn="uid=1000016,ou=customers,dc=xxxx,dc=com"
[31/Aug/2013:11:09:39 +0100] conn=265 op=3 BIND dn="cn=Directory Manager"
method=128 version=3
[31/Aug/2013:11:09:39 +0100] conn=265 op=3 RESULT err=0 tag=97 nentries=0
etime=0 dn="cn=directory manager"
[31/Aug/2013:11:09:39 +0100] conn=265 op=4 SRCH base="dc=xxxx,dc=com"
scope=2 filter="(&(mail=testuser16 at xxxx.com)(objectClass=*))
<mailto:mail=testuser16 at xxxx.com%29%28objectClass=*%29%29> " attrs="uid mail
cn mail distinguishedName"
[31/Aug/2013:11:09:39 +0100] conn=265 op=4 RESULT err=0 tag=101 nentries=1
etime=0
[31/Aug/2013:11:09:39 +0100] conn=265 op=5 SRCH base="dc=xxxx,dc=com"
scope=2 filter="(|(uid=1000016))" attrs="nsRole"
[31/Aug/2013:11:09:39 +0100] conn=265 op=5 RESULT err=0 tag=101 nentries=1
etime=0
[31/Aug/2013:11:09:39 +0100] conn=265 op=6 SRCH
base="ou=customers,dc=xxxx,dc=com" scope=2
filter="(&(|(member=cn=xxxxrolecommentertest,ou=customers,dc=xxxx,dc=com))(o
bjectClass=ldapSubEntry))" attrs="cn cn member nsUniqueId"
[31/Aug/2013:11:09:39 +0100] conn=265 op=6 RESULT err=0 tag=101 nentries=0
etime=0
[31/Aug/2013:11:09:39 +0100] conn=265 op=7 UNBIND
[31/Aug/2013:11:09:39 +0100] conn=265 op=7 fd=68 closed - U1
--
389 users mailing list
389-users at lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users at lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20130905/0024e610/attachment.html>
More information about the 389-users
mailing list