9:44 a.m.
Hi all,
I have used 'posixGroup' objectClass for creating groups, and
'posixAccount' object class for creating users, which uses 'gidNumber'
property to associate to a specific group (created by posixGroup).
I have to sync LDAP users/groups in Apache Ranger, that uses 'groupOfNames'
object class and 'member/memberof' property in user object. But in
'groupOfNames' objectClass we have to add members at the time of creation
of group.
Is there any way that we can add members to already created groups later on?
1:22 p.m.
Aneela Saleem wrote:
I have used 'posixGroup' objectClass for creating groups,
and
'posixAccount' object class for creating users, which uses 'gidNumber'
property to associate to a specific group (created by posixGroup).
No! This is likeky a big misunderstanding.
The attribute 'gidNumber' in 'posixAccount' entry solely specifies the
*primary* group of a POSIX user account (like in /etc/passwd).
When using traditional 'posixGroup' entries the multi-valued attribute
contains 'memberUID' the usernames of the group members.
I have to sync LDAP users/groups in Apache Ranger, that uses
'groupOfNames'
object class and 'member/memberof' property in user object. But in
'groupOfNames' objectClass we have to add members at the time of creation
of group.
Is there any way that we can add members to already created groups later on?
Yes. With a LDAP modify operation.
Example as LDIF change record:
dn: cn=group 1,dc=example,dc=com
changetype: modify
add: member
member: uid=user1,dc=example,dc=com
-
Similar for removing group membership etc.
Ciao, Michael.
1:38 p.m.
Michael Ströder wrote:
Aneela Saleem wrote:
> I have used 'posixGroup' objectClass for creating groups, and
> 'posixAccount' object class for creating users, which uses
'gidNumber'
> property to associate to a specific group (created by posixGroup).
No! This is likeky a big misunderstanding.
The attribute 'gidNumber' in 'posixAccount' entry solely specifies the
*primary* group of a POSIX user account (like in /etc/passwd).
When using traditional 'posixGroup' entries the multi-valued attribute
contains 'memberUID' the usernames of the group members.
> I have to sync LDAP users/groups in Apache Ranger, that uses 'groupOfNames'
> object class and 'member/memberof' property in user object. But in
> 'groupOfNames' objectClass we have to add members at the time of creation
> of group.
>
> Is there any way that we can add members to already created groups later on?
Yes. With a LDAP modify operation.
You missed the actual question.
groupOfNames REQUIRES the member attribute, therefore it's not possible to
create an empty group and add members to it later.
There ought to be an FAQ article for this.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
1:42 p.m.
Howard Chu wrote:
groupOfNames REQUIRES the member attribute, therefore it's not
possible to
create an empty group and add members to it later.
Ah, ok. Hmm, there might be more questions though...
There ought to be an FAQ article for this.
Or rather ietf-ldapext *WG* should make progress with
draft-findlay-ldap-groupofentries... ;-)
Ciao, Michael.
1:46 p.m.
So which objectClass best suits for this situation?
On Fri, Aug 7, 2015 at 1:42 AM, Michael Ströder <michael(a)stroeder.com>
wrote:
Howard Chu wrote:
> groupOfNames REQUIRES the member attribute, therefore it's not possible
to
> create an empty group and add members to it later.
Ah, ok. Hmm, there might be more questions though...
> There ought to be an FAQ article for this.
Or rather ietf-ldapext *WG* should make progress with
draft-findlay-ldap-groupofentries... ;-)
Ciao, Michael.
7:54 a.m.
On Fri, Aug 07, 2015 at 01:46:42AM +0500, Aneela Saleem wrote:
So which objectClass best suits for this situation?
If you want to have groups that are easy to adminster and are capable
of being empty then you should consider groupOfEntries. A quick scan
through the Apache Ranger docs suggests that you can configure the
group class and group search so this may well work. You will need to
add the groupOfEntries class to your LDAP server schema as it is not
likely to be there by default.
On Fri, Aug 7, 2015 at 1:42 AM, Michael Ströder
<michael(a)stroeder.com> wrote:
Or rather ietf-ldapext *WG* should make progress with
draft-findlay-ldap-groupofentries... ;-)
You can use the class defined in that draft even if IETF don't
officially endorse it. Copy attached to this message.
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------
9:32 a.m.
Andrew Findlay wrote:
> On Fri, Aug 7, 2015 at 1:42 AM, Michael Ströder
<michael(a)stroeder.com> wrote:
> Or rather ietf-ldapext *WG* should make progress with
> draft-findlay-ldap-groupofentries... ;-)
You can use the class defined in that draft even if IETF don't
officially endorse it.
Yes, of course.
Copy attached to this message.
Attached the normal OpenLDAP .schema file for it.
Ciao, Michael.
2781
days inactive
2788
days old
openldap-technical@openldap.org
6 comments
4 participants
participants (4)
-
Andrew Findlay -
Aneela Saleem -
Howard Chu -
Michael Ströder