15.08.2011 17:24, pradyumna dash ΠΙΫΕΤ:

Hi,

I have create 2 groups and modified the ldap.conf file in the client as
below

nss_base_passwd ou=people,dc=example,dc=com?one
nss_base_shadow ou=people,dc=example,dc=com?one
nss_base_group šou=Group,dc=example,dc=com?one

šFrom the client when i run getent ši can see my groups and users, but
when i login to a user and try id šit shows me the primary group not the
secondary groups i have added.

Could you, please, show DN of primary and secondary groups and body of this objects (object classes and attributes).

WBR

I am using SLES 11 SP1.

Regards,
Pradyumna

2011/8/15 Dmitriy Kirhlarov <dimma@higis.ru <mailto:dimma@higis.ru>>

š šplease, keep a list address in the Cc.

š šWNBR


š šOn 08/14/2011 04:20 PM, pradyumna dash wrote:

š š š šThank you so much.

š š š šI will try it this week and get back to you in case of any issues.

š š š šThanks for your time.

š š š šRegards,
š š š šPradyumna

š š š š2011/8/14 Dmitriy Kirhlarov <dimma@higis.ru

š š š š<mailto:dimma@higis.ru> <mailto:dimma@higis.ru
š š š š<mailto:dimma@higis.ru>>>

š š š š š šOn 08/14/2011 03:18 PM, pradyumna dash wrote:

š š š š š š š šHi,

š š š š š š š šThank you so much. šI have never worked a lot on nss_ldap so
š š š š š š š šasking some
š š š š š š š šbasic questions.

š š š š š š š šAs per you said you guys are running the same in your env.

š š š š š š š šldap:
š š š š š š š špersonals user groups:
š š š š š š š šou=groups,o=company
š š š š š š š šfirst project groups:
š š š š š š š šcn=group1,ou=project1,o=______company
š š š š š š š šcn=group2,ou=project1,o=______company

š š š š š š š š-- Do i need to create separate OU's for different groups?


š š š š š šUp to you.

š š š š š šYou need some "separator" between projects. It can be branch
š š š šin the
š š š š š štree, or scope "base" in filter configuration from
š š š šnss_ldap.conf file.

š š š š š šWe are prefer branches. It's more readable, when you have many
š š š š š šgroups and many projects.


š š š š š š š šsecond project groups:
š š š š š š š šcn=group1,ou=project2,o=______company
š š š š š š š šcn=group2,ou=project2,o=______company
š š š š š š š š-- How i can specify the users who are a part of which
š š š šgroup?


š š š š š šcn=group1,ou=project1,o=____company
š š š š š šobjectClass: posixGroup
š š š š š šcn: group1
š š š š š šgidNumber: 1000
š š š š š šdescription: project1 admin group
š š š š š šmemberUid: user1
š š š š š šmemberUid: user2
š š š š š šmemberUid: user3


š š š š"Server1" nss_ldap.conf:
š š š š š š š šnss_base_group š š š š šou=groups,o=company?sub
š š š š š š š šnss_base_group š š š š šou=project1,o=company?one
š š š š š š š š--The syntax in the conf file will be like above ??
š š š šBecause i
š š š š š š š šhave never
š š š š š š š šused ?sub and ?one


š š š š š šIt's URI (http://en.wikipedia.org/wiki/____URI_scheme
š š š š<http://en.wikipedia.org/wiki/__URI_scheme>
š š š š<http://en.wikipedia.org/wiki/__URI_scheme
š š š š<http://en.wikipedia.org/wiki/URI_scheme>>) syntax.
š š š š š šYou should to write second part of URI (after connection
š š š š š šdescription) with base, scope and filter.


š š š š"Server2" nss_ldap.conf:
š š š š š š š šnss_base_group š š š š šou=groups,o=company?sub
š š š š š š š šnss_base_group š š š š šou=project2,o=company?one

š š š š š š š šAlso if you can help, am trying "pwdReset" for my ldap
š š š šusers, in the
š š š š š š š šppolicy.schema file i have uncommented this attribute
š š š šbut not
š š š š š š š šable to
š š š š š š š šload the schema, if you can give me some pointers would be
š š š š š š š šappreciated.
š š š š š š š š šWhat i want is when firsttime any user logs in he will
š š š šasked
š š š š š š š što change
š š š š š š š šhis password.


š š š š š š1. try to start slapd with "-d config"
š š š š š š2. take a look to
š š š šhttp://www.zytrax.com/books/____ldap/ch6/ppolicy.html
š š š š<http://www.zytrax.com/books/__ldap/ch6/ppolicy.html>
š š š š<http://www.zytrax.com/books/__ldap/ch6/ppolicy.html
š š š š<http://www.zytrax.com/books/ldap/ch6/ppolicy.html>>

š š š š š šWBR


š š š š š š š šRegards,
š š š š š š š šNeo

š š š š š š š šI am not a expert in OpenLDAP so please help me.
š š š š š š š š2011/8/14 Dmitriy Kirhlarov <dimma@higis.ru
š š š š<mailto:dimma@higis.ru>
š š š š<mailto:dimma@higis.ru <mailto:dimma@higis.ru>>
š š š š<mailto:dimma@higis.ru <mailto:dimma@higis.ru>

š š š š<mailto:dimma@higis.ru <mailto:dimma@higis.ru>>>>

š š š š š š š š š šHi.


š š š š š š š š š šOn 08/12/2011 07:40 PM, Buchan Milne wrote:

š š š š š š š š š š š šOn Wednesday, 10 August 2011 10:11:17 pradyumna
š š š šdash wrote:

š š š š š š š š š š š š š šGuys,

š š š š š š š š š š š š š šI have a query, lets take a scenario :

š š š š š š š š š š š š š šAssume we have 2 servers "Server1" and
š š š š"Server2" and 2
š š š š š š š š š š š š š šgroups "Admin" and
š š š š"ITTech", What is needed is like say when a user "bob" logging
š š š š š š š š š š š š š šin to "Server1" he will get the group
š š š š"Admin", but
š š š š š š š šwhen he
š š š š š š š š š š š š š šlogs in to
š š š š"Server2" he will get group "ITTech". šAlso it may vary for
š š š š š š š š š š š š š šdifferent users
š š š š š š š š š š š š š šlike when "Kris" logs in to Server1 he may
š š š šget a group
š š š š š š š š š š š š š šcalled "ITTech" and
š š š š š š š š š š š š š šwhen he logs in to "Server2" šhe will get
š š š šsome other
š š š š š š š šgroup
š š š š š š š š š š š š š šsay "Security".
š š š š š š š š š š š š š šCan it be possible by OpenLDAP ?


š š š š š š š š š š š šIMHO, this is a bad idea. It will specifically be
š š š š š š š šproblematic if
š š š š š š š š š š š šyou have any
š š š š š š š š š š š šfiles shared/replicated/backed up between
š š š šservers (e.g.
š š š š š š š švia NFS).


š š š š š š š š š šWe are using this functionality without any problems. :)
š š š š š š š š š šThis is feature of nss_ldap.

š š š š š š š š š šldap:
š š š š š š š š š špersonals user groups:
š š š š š š š š š šou=groups,o=company

š š š š š š š š š šfirst project groups:
š š š š š š š š š šcn=group1,ou=project1,o=______company
š š š š š š š š š šcn=group2,ou=project1,o=______company

š š š š š š š š š šsecond project groups:
š š š š š š š š š šcn=group1,ou=project2,o=______company
š š š š š š š š š šcn=group2,ou=project2,o=______company

š š š š"Server1" nss_ldap.conf:
š š š š š š š š š šnss_base_group š š š š šou=groups,o=company?sub
š š š š š š š š š šnss_base_group š š š š šou=project1,o=company?one

š š š š"Server2" nss_ldap.conf:
š š š š š š š š š šnss_base_group š š š š šou=groups,o=company?sub
š š š š š š š š š šnss_base_group š š š š šou=project2,o=company?one


š š š š š š š š š šWBR


š š š š š š š š š š š š š šIf this is achieved then we are planning
š š š š š š š š š š š š š što have SUDO files based on the grooups.


š š š š š š š š š š š šIt would be much more effective to have your
š š š šsudo rules
š š š š š š š šin LDAP,
š š š š š š š š š š š šand apply a
š š š š š š š š š š š šrule to a set of users/groups to a
š š š šcollection/netgroup
š š š š š š š šof hosts.

š š š š š š š š š š š šRegards,
š š š š š š š š š š š šBuchan