Hi list,
I would like to know whether anybody has succeeded in using the memberof overlay for others attributes. I would like a user entry (specifically the host attribute) to be populated when a user is added to a posixGroup. Let's say this posixGroup contains a "hostOfGroup" attribute.
Is it feasible? Or do I need to code my own overlay for that purpose? If writing an overlay is not needed, is there an esaier way to do that?
Thanks. Regards,
Vince
Vince Rafale wrote:
Hi list,
I would like to know whether anybody has succeeded in using the memberof overlay for others attributes. I would like a user entry (specifically the host attribute) to be populated when a user is added to a posixGroup. Let's say this posixGroup contains a "hostOfGroup" attribute.
Is it feasible? Or do I need to code my own overlay for that purpose? If writing an overlay is not needed, is there an esaier way to do that?
slapo-memberof, as far as I remember, can only work with DN-valued attrs. Using it for generic attrs would definitely require some work, and may be problematic.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
On Sunday 26 April 2009 14:34:00 Vince Rafale wrote:
Hi list,
I would like to know whether anybody has succeeded in using the memberof overlay for others attributes. I would like a user entry (specifically the host attribute) to be populated when a user is added to a posixGroup. Let's say this posixGroup contains a "hostOfGroup" attribute.
Is it feasible? Or do I need to code my own overlay for that purpose? If writing an overlay is not needed, is there an esaier way to do that?
Sounds like there may be other solutions to your real problem ... e.g. pam_listfile with item=group sense=allow
Regards, Buchan
Buchan Milne wrote:
On Sunday 26 April 2009 14:34:00 Vince Rafale wrote:
Hi list,
I would like to know whether anybody has succeeded in using the memberof overlay for others attributes. I would like a user entry (specifically the host attribute) to be populated when a user is added to a posixGroup. Let's say this posixGroup contains a "hostOfGroup" attribute.
Is it feasible? Or do I need to code my own overlay for that purpose? If writing an overlay is not needed, is there an esaier way to do that?
Sounds like there may be other solutions to your real problem ... e.g. pam_listfile with item=group sense=allow
Or use the PAM support in the nssov overlay. Setting a user's host attribute to control logins is ridiculous...
Howard Chu wrote :
Buchan Milne wrote:
On Sunday 26 April 2009 14:34:00 Vince Rafale wrote:
Hi list,
I would like to know whether anybody has succeeded in using the memberof overlay for others attributes. I would like a user entry (specifically the host attribute) to be populated when a user is added to a posixGroup. Let's say this posixGroup contains a "hostOfGroup" attribute.
Is it feasible? Or do I need to code my own overlay for that purpose? If writing an overlay is not needed, is there an esaier way to do that?
Sounds like there may be other solutions to your real problem ... e.g. pam_listfile with item=group sense=allow
Or use the PAM support in the nssov overlay. Setting a user's host attribute to control logins is ridiculous...
Ok for that overlay. Have you got any tutorial on the use of that overlay? If not, could you please provide some more details on the configuration for that overlay that could suit my need?
Thanks. Regards,
Vince
Vince Rafale wrote:
Howard Chu wrote :
Buchan Milne wrote:
On Sunday 26 April 2009 14:34:00 Vince Rafale wrote:
Hi list,
I would like to know whether anybody has succeeded in using the memberof overlay for others attributes. I would like a user entry (specifically the host attribute) to be populated when a user is added to a posixGroup. Let's say this posixGroup contains a "hostOfGroup" attribute.
Is it feasible? Or do I need to code my own overlay for that purpose? If writing an overlay is not needed, is there an esaier way to do that?
Sounds like there may be other solutions to your real problem ... e.g. pam_listfile with item=group sense=allow
Or use the PAM support in the nssov overlay. Setting a user's host attribute to control logins is ridiculous...
Ok for that overlay. Have you got any tutorial on the use of that overlay? If not, could you please provide some more details on the configuration for that overlay that could suit my need?
http://www.openldap.org/devel/cvsweb.cgi/contrib/slapd-modules/nssov/slapo-n...
The relevant point is to create ipHost entries for each host that you want to control logins on, and set the authorizedService attribute to the set of PAM services you want to allow (e.g., login, sshd, gdm, whatever). Then set ACLs on the authorizedService attribute - this will then control what users the nssov overlay allows to login to the given service on a given host. This gives you the full power of the slapd ACL engine, instead of just the 2-3 limited options that the old pam_ldap module provides.
openldap-technical@openldap.org