Hi colleagues, HOW to make posixGroup a memberOf another posixGroup?? ... : nis.schema > posixGroup objectclass : ---------- objectclass ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' DESC 'Abstraction of a group of accounts' SUP top STRUCTURAL MUST ( cn $ gidNumber ) MAY ( userPassword $ memberUid $ member $ description ) ) ----------- and where is "memberOf" ?? it seems it must present in MUST.., IMHO openldapAdminGuide promised to add "memberOf attr to posixGroup..,. can i do it myself ?? And what GUI-tool can rule this moment ??,- i'm using http://ldapadmin.sourceforge.net/ , but it can't.
vip43@mail.ru wrote:
HOW to make posixGroup a memberOf another posixGroup?? ...
You mean nested groups? Deploying posixGroup is the very same concept like Unix groups in /etc/group. And there is no such concept like nested groups there.
objectclass ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' DESC 'Abstraction of a group of accounts' SUP top STRUCTURAL MUST ( cn $ gidNumber ) MAY ( userPassword $ memberUid $ member $ description ) )
and where is "memberOf" ??
The attribute 'memberUid' contains the numeric Unix UID of all member users of a 'posixGroup'. But where do you have this declaration with attribute 'member' from? Normally it's not declared with attribute 'member'.
memberOf is a completely different thing. It's a dynamically generated back-link from the user's entry to all the group entries a user is a member of. It cannot be used in conjunction with 'posixGroup' though.
See also man-page slapo-memberof(5).
Ciao, Michael.
Yes i mean nested groups, ...and IT WORK ! just because of 'member'-attribute, - just add it to 'posixGroup'-objectclass ,and you can add members like this: -- dn: cn=Domain Admin,ou=Groups,dc=my,dc=org objectClass: posixGroup objectClass: top objectClass: sambaGroupMapping cn: Domain Admin gidNumber: 43277 memberUid: admin displayName: Domain Admin sambaGroupType: 5 sambaSID: S-1-5-21-4294967295-4294967295-4294967295-512 member: cn=IT,ou=Groups,dc=my,dc=org member: cn=internet,ou=Adv,dc=my,dc=org -- where IT is another posixGroup, As result - members of IT-group becomes to 'Domain Admins' I told you - it must works, you try, i'm already tested with Samba acl shares (and my Samba looking for Ldap) (..sorry for my english
----- Original Message ----- From: "Michael Ströder" michael@stroeder.com To: vip43@mail.ru Cc: openldap-technical@openldap.org Sent: Monday, January 21, 2008 9:48 PM Subject: Re: > posixGroup & memberOf
vip43@mail.ru wrote:
HOW to make posixGroup a memberOf another posixGroup?? ...
You mean nested groups? Deploying posixGroup is the very same concept like Unix groups in /etc/group. And there is no such concept like nested groups there.
objectclass ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' DESC 'Abstraction of a group of accounts' SUP top STRUCTURAL MUST ( cn $ gidNumber ) MAY ( userPassword $ memberUid $ member $ description ) )
and where is "memberOf" ??
The attribute 'memberUid' contains the numeric Unix UID of all member users of a 'posixGroup'. But where do you have this declaration with attribute 'member' from? Normally it's not declared with attribute 'member'.
memberOf is a completely different thing. It's a dynamically generated back-link from the user's entry to all the group entries a user is a member of. It cannot be used in conjunction with 'posixGroup' though.
See also man-page slapo-memberof(5).
Ciao, Michael.
-- Michael Ströder E-Mail: michael@stroeder.com http://www.stroeder.com
vip43@mail.ru wrote:
Yes i mean nested groups, ...and IT WORK ! just because of 'member'-attribute, - just add it to 'posixGroup'-objectclass ,and you can add members like this:
There's no doubt that you can store nested groups in your OpenLDAP database. But the question is whether any LDAP client used (e.g. nss_ldap) evaluates the nested grouping. posixGroup was at first meant for something like nss_ldap.
where IT is another posixGroup, As result - members of IT-group becomes to 'Domain Admins' I told you - it must works, you try, i'm already tested with Samba acl shares (and my Samba looking for Ldap)
It might work with Samba but may not work with other LDAP clients you're using. You have to check that.
Ciao, Michael.
openldap-technical@openldap.org
-
Michael Ströder -
vip43@mail.ru