New subject: Assigning Groups to LDAP users

15 Aug 2011

      Hi,
I have create 2 groups and modified the ldap.conf file in the client as
below
nss_base_passwd ou=people,dc=example,dc=com?one
nss_base_shadow ou=people,dc=example,dc=com?one
nss_base_group  ou=Group,dc=example,dc=com?one
...
From the client when i run getent  i can see my groups and users, but when i
login to a user and try id  it shows me the primary group not the secondary
groups i have added.
I am using SLES 11 SP1.
Regards,
Pradyumna
2011/8/15 Dmitriy Kirhlarov dimma@higis.ru
...
please, keep a list address in the Cc.
WNBR
On 08/14/2011 04:20 PM, pradyumna dash wrote:
...
Thank you so much.
I will try it this week and get back to you in case of any issues.
Thanks for your time.
Regards,
Pradyumna
2011/8/14 Dmitriy Kirhlarov <dimma@higis.ru mailto:dimma@higis.ru>
On 08/14/2011 03:18 PM, pradyumna dash wrote:
   Hi,

   Thank you so much.  I have never worked a lot on nss_ldap so
   asking some
   basic questions.

   As per you said you guys are running the same in your env.

   ldap:
   personals user groups:
   ou=groups,o=company
   first project groups:
   cn=group1,ou=project1,o=____**company
   cn=group2,ou=project1,o=____**company

   -- Do i need to create separate OU's for different groups?

Up to you.
You need some "separator" between projects. It can be branch in the
   tree, or scope "base" in filter configuration from nss_ldap.conf file.
We are prefer branches. It's more readable, when you have many
   groups and many projects.
   second project groups:
   cn=group1,ou=project2,o=____**company
   cn=group2,ou=project2,o=____**company
   -- How i can specify the users who are a part of which group?

cn=group1,ou=project1,o=__**company
   objectClass: posixGroup
   cn: group1
   gidNumber: 1000
   description: project1 admin group
   memberUid: user1
   memberUid: user2
   memberUid: user3
   "Server1" nss_ldap.conf:
   nss_base_group          ou=groups,o=company?sub
   nss_base_group          ou=project1,o=company?one
   --The syntax in the conf file will be like above ?? Because i
   have never
   used ?sub and ?one

It's URI (http://en.wikipedia.org/wiki/**__URI_schemehttp://en.wikipedia.org/wiki/__URI_scheme
   <http://en.wikipedia.org/wiki/**URI_schemehttp://en.wikipedia.org/wiki/URI_scheme>)
syntax.
   You should to write second part of URI (after connection
   description) with base, scope and filter.
   "Server2" nss_ldap.conf:
   nss_base_group          ou=groups,o=company?sub
   nss_base_group          ou=project2,o=company?one

   Also if you can help, am trying "pwdReset" for my ldap users, in

the
       ppolicy.schema file i have uncommented this attribute but not
       able to
       load the schema, if you can give me some pointers would be
       appreciated.
         What i want is when firsttime any user logs in he will asked
       to change
       his password.

try to start slapd with "-d config"
take a look to

http://www.zytrax.com/books/__**ldap/ch6/ppolicy.htmlhttp://www.zytrax.com/books/__ldap/ch6/ppolicy.html
   <http://www.zytrax.com/books/**ldap/ch6/ppolicy.htmlhttp://www.zytrax.com/books/ldap/ch6/ppolicy.html
...
WBR
   Regards,
   Neo

   I am not a expert in OpenLDAP so please help me.
   2011/8/14 Dmitriy Kirhlarov <dimma@higis.ru
   <mailto:dimma@higis.ru> <mailto:dimma@higis.ru

   <mailto:dimma@higis.ru>>>

       Hi.

       On 08/12/2011 07:40 PM, Buchan Milne wrote:

           On Wednesday, 10 August 2011 10:11:17 pradyumna dash wrote:

               Guys,

               I have a query, lets take a scenario :

               Assume we have 2 servers "Server1" and "Server2" and 2
               groups "Admin" and
   "ITTech", What is needed is like say when a user "bob" logging
               in to "Server1" he will get the group "Admin", but
   when he
               logs in to
   "Server2" he will get group "ITTech".  Also it may vary for
               different users
               like when "Kris" logs in to Server1 he may get a group
               called "ITTech" and
               when he logs in to "Server2"  he will get some other
   group
               say "Security".
               Can it be possible by OpenLDAP ?

           IMHO, this is a bad idea. It will specifically be
   problematic if
           you have any
           files shared/replicated/backed up between servers (e.g.
   via NFS).

       We are using this functionality without any problems. :)
       This is feature of nss_ldap.

       ldap:
       personals user groups:
       ou=groups,o=company

       first project groups:
       cn=group1,ou=project1,o=____**company
       cn=group2,ou=project1,o=____**company

       second project groups:
       cn=group1,ou=project2,o=____**company
       cn=group2,ou=project2,o=____**company

   "Server1" nss_ldap.conf:
       nss_base_group          ou=groups,o=company?sub
       nss_base_group          ou=project1,o=company?one

   "Server2" nss_ldap.conf:
       nss_base_group          ou=groups,o=company?sub
       nss_base_group          ou=project2,o=company?one

       WBR

               If this is achieved then we are planning
               to have SUDO files based on the grooups.

           It would be much more effective to have your sudo rules
   in LDAP,
           and apply a
           rule to a set of users/groups to a collection/netgroup
   of hosts.

           Regards,
           Buchan

Re: Assigning Groups to LDAP users