Hi all,
I have used 'posixGroup' objectClass for creating groups, and 'posixAccount' object class for creating users, which uses 'gidNumber' property to associate to a specific group (created by posixGroup).
I have to sync LDAP users/groups in Apache Ranger, that uses 'groupOfNames' object class and 'member/memberof' property in user object. But in 'groupOfNames' objectClass we have to add members at the time of creation of group.
Is there any way that we can add members to already created groups later on?
Aneela Saleem wrote:
I have used 'posixGroup' objectClass for creating groups, and 'posixAccount' object class for creating users, which uses 'gidNumber' property to associate to a specific group (created by posixGroup).
No! This is likeky a big misunderstanding.
The attribute 'gidNumber' in 'posixAccount' entry solely specifies the *primary* group of a POSIX user account (like in /etc/passwd).
When using traditional 'posixGroup' entries the multi-valued attribute contains 'memberUID' the usernames of the group members.
I have to sync LDAP users/groups in Apache Ranger, that uses 'groupOfNames' object class and 'member/memberof' property in user object. But in 'groupOfNames' objectClass we have to add members at the time of creation of group.
Is there any way that we can add members to already created groups later on?
Yes. With a LDAP modify operation.
Example as LDIF change record:
dn: cn=group 1,dc=example,dc=com changetype: modify add: member member: uid=user1,dc=example,dc=com -
Similar for removing group membership etc.
Ciao, Michael.
Michael Ströder wrote:
Aneela Saleem wrote:
I have used 'posixGroup' objectClass for creating groups, and 'posixAccount' object class for creating users, which uses 'gidNumber' property to associate to a specific group (created by posixGroup).
No! This is likeky a big misunderstanding.
The attribute 'gidNumber' in 'posixAccount' entry solely specifies the *primary* group of a POSIX user account (like in /etc/passwd).
When using traditional 'posixGroup' entries the multi-valued attribute contains 'memberUID' the usernames of the group members.
I have to sync LDAP users/groups in Apache Ranger, that uses 'groupOfNames' object class and 'member/memberof' property in user object. But in 'groupOfNames' objectClass we have to add members at the time of creation of group.
Is there any way that we can add members to already created groups later on?
Yes. With a LDAP modify operation.
You missed the actual question.
groupOfNames REQUIRES the member attribute, therefore it's not possible to create an empty group and add members to it later.
There ought to be an FAQ article for this.
Howard Chu wrote:
groupOfNames REQUIRES the member attribute, therefore it's not possible to create an empty group and add members to it later.
Ah, ok. Hmm, there might be more questions though...
There ought to be an FAQ article for this.
Or rather ietf-ldapext *WG* should make progress with draft-findlay-ldap-groupofentries... ;-)
Ciao, Michael.
So which objectClass best suits for this situation?
On Fri, Aug 7, 2015 at 1:42 AM, Michael Ströder michael@stroeder.com wrote:
Howard Chu wrote:
groupOfNames REQUIRES the member attribute, therefore it's not possible
to
create an empty group and add members to it later.
Ah, ok. Hmm, there might be more questions though...
There ought to be an FAQ article for this.
Or rather ietf-ldapext *WG* should make progress with draft-findlay-ldap-groupofentries... ;-)
Ciao, Michael.
On Fri, Aug 07, 2015 at 01:46:42AM +0500, Aneela Saleem wrote:
So which objectClass best suits for this situation?
If you want to have groups that are easy to adminster and are capable of being empty then you should consider groupOfEntries. A quick scan through the Apache Ranger docs suggests that you can configure the group class and group search so this may well work. You will need to add the groupOfEntries class to your LDAP server schema as it is not likely to be there by default.
On Fri, Aug 7, 2015 at 1:42 AM, Michael Ströder michael@stroeder.com wrote:
Or rather ietf-ldapext *WG* should make progress with draft-findlay-ldap-groupofentries... ;-)
You can use the class defined in that draft even if IETF don't officially endorse it. Copy attached to this message.
Andrew
Andrew Findlay wrote:
On Fri, Aug 7, 2015 at 1:42 AM, Michael Ströder michael@stroeder.com wrote:
Or rather ietf-ldapext *WG* should make progress with draft-findlay-ldap-groupofentries... ;-)You can use the class defined in that draft even if IETF don't officially endorse it.
Yes, of course.
Copy attached to this message.
Attached the normal OpenLDAP .schema file for it.
Ciao, Michael.
openldap-technical@openldap.org
-
Andrew Findlay -
Aneela Saleem -
Howard Chu -
Michael Ströder