ldapsearch -x -b dc=myinstitute,dc=edu uid=user1 gidnumber gives me gidnumber=1234 I then tried, ldapsearch -x -b dc=myinstitute,dc=edu "(&(objectclass=groupofnames)(gidnumber=1234))" intending to find out the name of the group, but I got nothing.
Thanks Jun The information contained in this e-mail message may be privileged, confidential, and/or protected from disclosure. This e-mail message may contain protected health information (PHI); dissemination of PHI should comply with applicable federal and state laws. If you are not the intended recipient, or an authorized representative of the intended recipient, any further review, disclosure, use, dissemination, distribution, or copying of this message or any attachment (or the information contained therein) is strictly prohibited. If you think that you have received this e-mail message in error, please notify the sender by return e-mail and delete all references to it and its contents from your systems.
On Tue, Jan 03, 2017 at 08:57:59PM +0000, Zhang,Jun wrote:
ldapsearch -x -b dc=myinstitute,dc=edu uid=user1 gidnumber gives me gidnumber=1234 I then tried, ldapsearch -x -b dc=myinstitute,dc=edu "(&(objectclass=groupofnames)(gidnumber=1234))" intending to find out the name of the group, but I got nothing.
Did the DN in your first search have a 'groupofnames' objectclass?
Thanks Jun
Am Dienstag, 03. Januar 2017 21:45 CET, Brian Reichert reichert@numachi.com schrieb:
On Tue, Jan 03, 2017 at 08:57:59PM +0000, Zhang,Jun wrote:
ldapsearch -x -b dc=myinstitute,dc=edu uid=user1 gidnumber gives me gidnumber=1234 I then tried, ldapsearch -x -b dc=myinstitute,dc=edu "(&(objectclass=groupofnames)(gidnumber=1234))" intending to find out the name of the group, but I got nothing.
Did the DN in your first search have a 'groupofnames' objectclass?
Furthermore - are you shure you want to search for groupofnames and not posixgroup? Group ID numbers are usually used with POSIX groups and since both posixgroup and groupoufnames are structural groups they can't mix. It's actually pretty unlikely that your server holds groupofnames with a numeric group id.
HTH Ralf Mattes
Thanks Jun
-- Brian Reichert reichert@numachi.com BSD admin/developer at large
Ralf Mattes wrote:
Furthermore - are you shure you want to search for groupofnames and not posixgroup? Group ID numbers are usually used with POSIX groups and since both posixgroup and groupoufnames are structural groups they can't mix. It's actually pretty unlikely that your server holds groupofnames with a numeric group id.
Note that there's RFC2307bis [1] which uses groupOfNames as STRUCTURAL object class and posixGroup as supplement AUXILIARY object class. Some NSS/LDAP clients can use this schema.
In Æ-DIR I use multiple inheritance for the 'aeGroup' [2] STRUCTURAL object class to combine groupOfEntries (which permits empty groups) and classic posixGroup for backward compability with NSS/LDAP clients which are only capable to use 'memberUID' as member attribute. Furthermore slapo-constraint ensures that attribute value sets of 'member' and 'memberUID' are in sync.
( 1.3.6.1.4.1.5427.1.389.100.6.1 NAME 'aeGroup' DESC 'AE-DIR: Group entry' SUP ( groupOfEntries $ posixGroup $ groupOfURLs $ aeObject ) STRUCTURAL MUST description MAY aeDept )
Multiple object class inheritance is not possible with all LDAP servers (e.g. not possible with 389-DS).
Ciao, Michael.
[1] https://tools.ietf.org/html/draft-howard-rfc2307bis#section-4
Good knowledge.
-----Original Message----- From: openldap-technical [mailto:openldap-technical-bounces@openldap.org] On Behalf Of Michael Ströder Sent: Tuesday, January 03, 2017 3:51 PM To: Ralf Mattes Cc: openldap-technical@openldap.org Subject: Re: ldapsearch filter question
Ralf Mattes wrote:
Furthermore - are you shure you want to search for groupofnames and not posixgroup? Group ID numbers are usually used with POSIX groups and since both posixgroup and groupoufnames are structural groups they can't mix. It's actually pretty unlikely that your server holds groupofnames with a numeric group id.
Note that there's RFC2307bis [1] which uses groupOfNames as STRUCTURAL object class and posixGroup as supplement AUXILIARY object class. Some NSS/LDAP clients can use this schema.
In Æ-DIR I use multiple inheritance for the 'aeGroup' [2] STRUCTURAL object class to combine groupOfEntries (which permits empty groups) and classic posixGroup for backward compability with NSS/LDAP clients which are only capable to use 'memberUID' as member attribute. Furthermore slapo-constraint ensures that attribute value sets of 'member' and 'memberUID' are in sync.
( 1.3.6.1.4.1.5427.1.389.100.6.1 NAME 'aeGroup' DESC 'AE-DIR: Group entry' SUP ( groupOfEntries $ posixGroup $ groupOfURLs $ aeObject ) STRUCTURAL MUST description MAY aeDept )
Multiple object class inheritance is not possible with all LDAP servers (e.g. not possible with 389-DS).
Ciao, Michael.
[1] https://tools.ietf.org/html/draft-howard-rfc2307bis#section-4
[2] https://www.ae-dir.com/docs.html#schema-oc-aeGroup
The information contained in this e-mail message may be privileged, confidential, and/or protected from disclosure. This e-mail message may contain protected health information (PHI); dissemination of PHI should comply with applicable federal and state laws. If you are not the intended recipient, or an authorized representative of the intended recipient, any further review, disclosure, use, dissemination, distribution, or copying of this message or any attachment (or the information contained therein) is strictly prohibited. If you think that you have received this e-mail message in error, please notify the sender by return e-mail and delete all references to it and its contents from your systems.
I'm working on openldap proxy to AD, gidnumber is assigned for Linux client, by the AD admin. I saw groupofnames objectclass actually only in openldap. I tried it blindly without thinking both sides and the mapping in between first. What you said is true.
-----Original Message----- From: Ralf Mattes [mailto:rm@mh-freiburg.de] Sent: Tuesday, January 03, 2017 3:31 PM To: Brian Reichert Cc: Zhang,Jun; openldap-technical@openldap.org Subject: Re: ldapsearch filter question
Am Dienstag, 03. Januar 2017 21:45 CET, Brian Reichert reichert@numachi.com schrieb:
On Tue, Jan 03, 2017 at 08:57:59PM +0000, Zhang,Jun wrote:
ldapsearch -x -b dc=myinstitute,dc=edu uid=user1 gidnumber gives me gidnumber=1234 I then tried, ldapsearch -x -b dc=myinstitute,dc=edu "(&(objectclass=groupofnames)(gidnumber=1234))" intending to find out the name of the group, but I got nothing.
Did the DN in your first search have a 'groupofnames' objectclass?
Furthermore - are you shure you want to search for groupofnames and not posixgroup? Group ID numbers are usually used with POSIX groups and since both posixgroup and groupoufnames are structural groups they can't mix. It's actually pretty unlikely that your server holds groupofnames with a numeric group id.
HTH Ralf Mattes
Thanks Jun
-- Brian Reichert reichert@numachi.com BSD admin/developer at large
The information contained in this e-mail message may be privileged, confidential, and/or protected from disclosure. This e-mail message may contain protected health information (PHI); dissemination of PHI should comply with applicable federal and state laws. If you are not the intended recipient, or an authorized representative of the intended recipient, any further review, disclosure, use, dissemination, distribution, or copying of this message or any attachment (or the information contained therein) is strictly prohibited. If you think that you have received this e-mail message in error, please notify the sender by return e-mail and delete all references to it and its contents from your systems.
I searched in the ARS and found that "group" is the object class, besides "top", and my search got result.
-----Original Message----- From: Brian Reichert [mailto:reichert@numachi.com] Sent: Tuesday, January 03, 2017 2:45 PM To: Zhang,Jun Cc: openldap-technical@openldap.org Subject: Re: ldapsearch filter question
On Tue, Jan 03, 2017 at 08:57:59PM +0000, Zhang,Jun wrote:
ldapsearch -x -b dc=myinstitute,dc=edu uid=user1 gidnumber gives me gidnumber=1234 I then tried, ldapsearch -x -b dc=myinstitute,dc=edu "(&(objectclass=groupofnames)(gidnumber=1234))" intending to find out the name of the group, but I got nothing.
Did the DN in your first search have a 'groupofnames' objectclass?
Thanks Jun
Yes, I'm working on the Linux side.
-----Original Message----- From: Michael Ströder [mailto:michael@stroeder.com] Sent: Tuesday, January 03, 2017 3:57 PM To: Zhang,Jun Cc: openldap-technical@openldap.org Subject: Re: ldapsearch filter question
Zhang,Jun wrote:
I searched in the ARS and found that "group" is the object class, besides "top", and my search got result.
This sounds like MS Active Directory.
Ciao, Michael.
The information contained in this e-mail message may be privileged, confidential, and/or protected from disclosure. This e-mail message may contain protected health information (PHI); dissemination of PHI should comply with applicable federal and state laws. If you are not the intended recipient, or an authorized representative of the intended recipient, any further review, disclosure, use, dissemination, distribution, or copying of this message or any attachment (or the information contained therein) is strictly prohibited. If you think that you have received this e-mail message in error, please notify the sender by return e-mail and delete all references to it and its contents from your systems.
openldap-technical@openldap.org
-
Brian Reichert -
Michael Ströder -
Ralf Mattes -
Zhang,Jun