hi
I'm having a problem dealing with usermod and groups stored on my openldap 2.3 server.
when I try to change the supplementary group of a user I do:
vmlx-jboss-desa:/home # usermod -D 'cn=admin,dc=vmlx-ldapauth-test,dc=in.iantel.com.uy' -G mysql okossuth
Enter LDAP Password:
LDAP information update failed: Object class violation
usermod: User not added to LDAP group `mysql'.
vmlx-jboss-desa:/home #
I looked into the log of my ldap server and I saw this error:
Feb 17 17:17:07 vmlx-ldapauth-test slapd[2800]: bdb_modify: cn=mysql,ou=Grupos,ou=Teleinformatica,dc=vmlx-ldapauth-test,dc=in.iantel.com.uy
Feb 17 17:17:07 vmlx-ldapauth-test slapd[2800]: bdb_modify_internal: add member
Feb 17 17:17:07 vmlx-ldapauth-test slapd[2800]: bdb_modify_internal: replace entryCSN
Feb 17 17:17:07 vmlx-ldapauth-test slapd[2800]: bdb_modify_internal: replace modifiersName
Feb 17 17:17:07 vmlx-ldapauth-test slapd[2800]: bdb_modify_internal: replace modifyTimestamp
Feb 17 17:17:07 vmlx-ldapauth-test slapd[2800]: Entry (cn=mysql,ou=Grupos,ou=Teleinformatica,dc=vmlx-ldapauth-test,dc=in.iantel.com.uy), attribute 'member' not allowed
Feb 17 17:17:07 vmlx-ldapauth-test slapd[2800]: entry failed schema check: attribute 'member' not allowed
Feb 17 17:17:07 vmlx-ldapauth-test slapd[2800]: send_ldap_result: err=65 matched="" text="attribute 'member' not allowed"
Feb 17 17:17:07 vmlx-ldapauth-test slapd[2800]: connection_get(40)
Feb 17 17:17:07 vmlx-ldapauth-test slapd[2800]: connection_get(35)
The groups that I have created on the ldap server don't have the member attribute, only the memberUid...
Any ideas on how to solve this problem with usermod???
thanks.
Saludos,
Oskar Kossuth Administrador UNIX ANTEL Telecomunicaciones
El presente correo y cualquier posible archivo adjunto está dirigido únicamente al destinatario del mensaje y contiene información que puede ser confidencial. Si Ud. no es el destinatario correcto por favor notifique al remitente respondiendo anexando este mensaje y elimine inmediatamente el e-mail y los posibles archivos adjuntos al mismo de su sistema. Está prohibida cualquier utilización, difusión o copia de este e-mail por cualquier persona o entidad que no sean las específicas destinatarias del mensaje. ANTEL no acepta ninguna responsabilidad con respecto a cualquier comunicación que haya sido emitida incumpliendo nuestra Política de Seguridad de la Información. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . This e-mail and any attachment is confidential and is intended solely for the addressee(s). If you are not intended recipient please inform the sender immediately, answering this e-mail and delete it as well as the attached files. Any use, circulation or copy of this e-mail by any person or entity that is not the specific addressee(s) is prohibited. ANTEL is not responsible for any communication emitted without respecting our Information Security Policy.
okossuth@antel.com.uy wrote:
Feb 17 17:17:07 vmlx-ldapauth-test slapd[2800]: Entry (cn=mysql,ou=Grupos,ou=Teleinformatica,dc=vmlx-ldapauth-test,dc=in.iantel.com.uy), attribute 'member' not allowed
Likely your group entry is not made of object class 'groupOfNames' but the client tool you're using assumes this. If the group entry is of the object class needed for other LDAP applications I'd recommend to use another tool to manipulate the group entry.
Without further information more hints are not possible.
Ciao, Michael.
I'm using phpldapadmin 1.0.1 to modify ldap entries... The thing is, phpldapadmin is too old? what kind of attribute is used for gropus handling, member or memberUid?
Thanks
Saludos,
Oskar Kossuth Administrador UNIX ANTEL Telecomunicaciones
-----Mensaje original----- De: openldap-technical-bounces+okossuth=antel.com.uy@OpenLDAP.org [mailto:openldap-technical-bounces+okossuth=antel.com.uy@OpenLDAP.org] En nombre de Michael Ströder Enviado el: Wednesday, February 18, 2009 8:03 AM Para: Kossuth Espinosa, Oskar CC: openldap-technical@openldap.org Asunto: Re: Usermod problems with ldap
okossuth@antel.com.uy wrote:
Feb 17 17:17:07 vmlx-ldapauth-test slapd[2800]: Entry (cn=mysql,ou=Grupos,ou=Teleinformatica,dc=vmlx-ldapauth-test,dc=in.iantel.com.uy), attribute 'member' not allowed
Likely your group entry is not made of object class 'groupOfNames' but the client tool you're using assumes this. If the group entry is of the object class needed for other LDAP applications I'd recommend to use another tool to manipulate the group entry.
Without further information more hints are not possible.
Ciao, Michael.
El presente correo y cualquier posible archivo adjunto está dirigido únicamente al destinatario del mensaje y contiene información que puede ser confidencial. Si Ud. no es el destinatario correcto por favor notifique al remitente respondiendo anexando este mensaje y elimine inmediatamente el e-mail y los posibles archivos adjuntos al mismo de su sistema. Está prohibida cualquier utilización, difusión o copia de este e-mail por cualquier persona o entidad que no sean las específicas destinatarias del mensaje. ANTEL no acepta ninguna responsabilidad con respecto a cualquier comunicación que haya sido emitida incumpliendo nuestra Política de Seguridad de la Información. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . This e-mail and any attachment is confidential and is intended solely for the addressee(s). If you are not intended recipient please inform the sender immediately, answering this e-mail and delete it as well as the attached files. Any use, circulation or copy of this e-mail by any person or entity that is not the specific addressee(s) is prohibited. ANTEL is not responsible for any communication emitted without respecting our Information Security Policy.
okossuth@antel.com.uy wrote:
what kind of attribute is used for gropus handling, member or memberUid?
It depends on the object class of the group entry.
groupOfNames -> member (containing DN of member entry) posixGroup -> memberUid (containing uid value of member entry)
Ciao, Michael.
is it possible to have both groupofnames and posixgroup for a group entry?
Saludos,
Oskar Kossuth Administrador UNIX ANTEL Telecomunicaciones
-----Mensaje original----- De: Michael Ströder [mailto:michael@stroeder.com] Enviado el: Wednesday, February 18, 2009 11:09 AM Para: Kossuth Espinosa, Oskar CC: openldap-technical@openldap.org Asunto: Re: Usermod problems with ldap
okossuth@antel.com.uy wrote:
what kind of attribute is used for gropus handling, member or memberUid?
It depends on the object class of the group entry.
groupOfNames -> member (containing DN of member entry) posixGroup -> memberUid (containing uid value of member entry)
Ciao, Michael.
El presente correo y cualquier posible archivo adjunto está dirigido únicamente al destinatario del mensaje y contiene información que puede ser confidencial. Si Ud. no es el destinatario correcto por favor notifique al remitente respondiendo anexando este mensaje y elimine inmediatamente el e-mail y los posibles archivos adjuntos al mismo de su sistema. Está prohibida cualquier utilización, difusión o copia de este e-mail por cualquier persona o entidad que no sean las específicas destinatarias del mensaje. ANTEL no acepta ninguna responsabilidad con respecto a cualquier comunicación que haya sido emitida incumpliendo nuestra Política de Seguridad de la Información. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . This e-mail and any attachment is confidential and is intended solely for the addressee(s). If you are not intended recipient please inform the sender immediately, answering this e-mail and delete it as well as the attached files. Any use, circulation or copy of this e-mail by any person or entity that is not the specific addressee(s) is prohibited. ANTEL is not responsible for any communication emitted without respecting our Information Security Policy.
okossuth@antel.com.uy wrote:
is it possible to have both groupofnames and posixgroup for a group entry?
No, both are STRUCTURAL. And an entry can have only one STRUCTURAL object class. See also: http://www.openldap.org/faq/data/cache/883.html
Also note that actually the LDAP clients determine a user's group membership. You have to clarify whether they are using one or the other.
Ciao, Michael.
Ok.you are correct, but if I use the rfc2307bis.schema I can have groupofnames as structural and posixgroup as auxiliary to be able to use member and memberUid attributes.
Before I was using nis.schema and now I use rfc2307bis.schema and the usermod command worked. But the id command doesn't show groups stored in the ldap that use only the member attribute of a groupofnames group entry... any ideas?
Saludos,
Oskar Kossuth Administrador UNIX ANTEL Telecomunicaciones
-----Mensaje original----- De: Michael Ströder [mailto:michael@stroeder.com] Enviado el: Wednesday, February 18, 2009 12:25 PM Para: Kossuth Espinosa, Oskar CC: openldap-technical@openldap.org Asunto: Re: Usermod problems with ldap
okossuth@antel.com.uy wrote:
is it possible to have both groupofnames and posixgroup for a group entry?
No, both are STRUCTURAL. And an entry can have only one STRUCTURAL object class. See also: http://www.openldap.org/faq/data/cache/883.html
Also note that actually the LDAP clients determine a user's group membership. You have to clarify whether they are using one or the other.
Ciao, Michael.
El presente correo y cualquier posible archivo adjunto está dirigido únicamente al destinatario del mensaje y contiene información que puede ser confidencial. Si Ud. no es el destinatario correcto por favor notifique al remitente respondiendo anexando este mensaje y elimine inmediatamente el e-mail y los posibles archivos adjuntos al mismo de su sistema. Está prohibida cualquier utilización, difusión o copia de este e-mail por cualquier persona o entidad que no sean las específicas destinatarias del mensaje. ANTEL no acepta ninguna responsabilidad con respecto a cualquier comunicación que haya sido emitida incumpliendo nuestra Política de Seguridad de la Información. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . This e-mail and any attachment is confidential and is intended solely for the addressee(s). If you are not intended recipient please inform the sender immediately, answering this e-mail and delete it as well as the attached files. Any use, circulation or copy of this e-mail by any person or entity that is not the specific addressee(s) is prohibited. ANTEL is not responsible for any communication emitted without respecting our Information Security Policy.
okossuth@antel.com.uy wrote:
Ok.you are correct, but if I use the rfc2307bis.schema I can have groupofnames as structural and posixgroup as auxiliary to be able to use member and memberUid attributes.
Yes, but you have to maintain both attributes (member sets) separately. With my web2ldap you can do it at once.
Before I was using nis.schema and now I use rfc2307bis.schema and the usermod command worked. But the id command doesn't show groups stored in the ldap that use only the member attribute of a groupofnames group entry... any ideas?
You should look into your logs what the nss_ldap implementation you're using is really looking for.
Ciao, Michael.
Ok I have seen in the logs that usermod uses the member attribute when trying to update supplementary groups of a user, and id uses the memberUid attribute when trying to search info of a user.. how on earth can I use both commands without having to use group entries with both member and memberUids attributes?? BTW I'm using SUSE LES 10 SP2
Saludos,
Oskar Kossuth Administrador UNIX ANTEL Telecomunicaciones
-----Mensaje original----- De: Michael Ströder [mailto:michael@stroeder.com] Enviado el: Wednesday, February 18, 2009 3:15 PM Para: Kossuth Espinosa, Oskar CC: openldap-technical@openldap.org Asunto: Re: Usermod problems with ldap
okossuth@antel.com.uy wrote:
Ok.you are correct, but if I use the rfc2307bis.schema I can have groupofnames as structural and posixgroup as auxiliary to be able to use member and memberUid attributes.
Yes, but you have to maintain both attributes (member sets) separately. With my web2ldap you can do it at once.
Before I was using nis.schema and now I use rfc2307bis.schema and the usermod command worked. But the id command doesn't show groups stored in the ldap that use only the member attribute of a groupofnames group entry... any ideas?
You should look into your logs what the nss_ldap implementation you're using is really looking for.
Ciao, Michael.
El presente correo y cualquier posible archivo adjunto está dirigido únicamente al destinatario del mensaje y contiene información que puede ser confidencial. Si Ud. no es el destinatario correcto por favor notifique al remitente respondiendo anexando este mensaje y elimine inmediatamente el e-mail y los posibles archivos adjuntos al mismo de su sistema. Está prohibida cualquier utilización, difusión o copia de este e-mail por cualquier persona o entidad que no sean las específicas destinatarias del mensaje. ANTEL no acepta ninguna responsabilidad con respecto a cualquier comunicación que haya sido emitida incumpliendo nuestra Política de Seguridad de la Información. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . This e-mail and any attachment is confidential and is intended solely for the addressee(s). If you are not intended recipient please inform the sender immediately, answering this e-mail and delete it as well as the attached files. Any use, circulation or copy of this e-mail by any person or entity that is not the specific addressee(s) is prohibited. ANTEL is not responsible for any communication emitted without respecting our Information Security Policy.
okossuth@antel.com.uy wrote:
Ok I have seen in the logs that usermod uses the member attribute when trying to update supplementary groups of a user, and id uses the memberUid attribute when trying to search info of a user..
I suspected that.
how on earth can I use both commands without having to use group entries with both member and memberUids attributes??
Use the right LDAP client tool to correctly maintain the posixGroup entries.
Ciao, Michael.
Ok so you are telling me to not use usermod at all and just do the modifications with a LDAP client tool like phpldapadmin?
Saludos,
Oskar Kossuth Administrador UNIX ANTEL Telecomunicaciones
-----Mensaje original----- De: Michael Ströder [mailto:michael@stroeder.com] Enviado el: Wednesday, February 18, 2009 4:43 PM Para: Kossuth Espinosa, Oskar CC: openldap-technical@openldap.org Asunto: Re: Usermod problems with ldap
okossuth@antel.com.uy wrote:
Ok I have seen in the logs that usermod uses the member attribute when trying to update supplementary groups of a user, and id uses the memberUid attribute when trying to search info of a user..
I suspected that.
how on earth can I use both commands without having to use group entries with both member and memberUids attributes??
Use the right LDAP client tool to correctly maintain the posixGroup entries.
Ciao, Michael.
El presente correo y cualquier posible archivo adjunto está dirigido únicamente al destinatario del mensaje y contiene información que puede ser confidencial. Si Ud. no es el destinatario correcto por favor notifique al remitente respondiendo anexando este mensaje y elimine inmediatamente el e-mail y los posibles archivos adjuntos al mismo de su sistema. Está prohibida cualquier utilización, difusión o copia de este e-mail por cualquier persona o entidad que no sean las específicas destinatarias del mensaje. ANTEL no acepta ninguna responsabilidad con respecto a cualquier comunicación que haya sido emitida incumpliendo nuestra Política de Seguridad de la Información. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . This e-mail and any attachment is confidential and is intended solely for the addressee(s). If you are not intended recipient please inform the sender immediately, answering this e-mail and delete it as well as the attached files. Any use, circulation or copy of this e-mail by any person or entity that is not the specific addressee(s) is prohibited. ANTEL is not responsible for any communication emitted without respecting our Information Security Policy.
okossuth@antel.com.uy wrote:
Ok so you are telling me to not use usermod at all and just do the modifications with a LDAP client tool like phpldapadmin?
Yes, if the LDAP client tool manages the right attribute. I don't know phpldapadmin in detail.
This default configuration for group maintenance is in the standard source distribution of web2ldap:
# The definitions for group entry administration groupadm_defs={ 'groupOfNames': ('member',None), 'groupOfUniqueNames': ('uniqueMember',None), 'organizationalRole': ('roleOccupant',None), 'rfc822MailGroup': ('mail','mail'), 'nisMailAlias': ('rfc822MailMember','mail'), 'mailGroup': ('mgrprfc822mailmember','mail'), # Found on IBM SecureWay Directory 'accessGroup': ('member',None), # RFC2370 'posixGroup': ('memberUid','uid'), 'nisNetgroup': ('memberNisNetgroup','uid'), # Samba 3.0 'sambaGroupMapping': ('sambaSID','sambaSID'), # Active Directory 'group': ('member',None), # draft-findlay-ldap-groupofentries 'groupOfEntries': ('member',None), },
I think you get the idea. It can be customized for particular LDAP target servers or name spaces to meet your needs. Being the author of web2ldap I'm biased off course.
Ciao, Michael.
Ok, it makes sense to do the users/groups administration from a LDAP client instead of doing it from each of the servers the OpenLDAP server manage..because if not why use an LDAP server at all ?? hehe Phpldapmyadmin works great using posixGroup with the memberUid attribute so I think it's good practice to do all my administration from the LDAP client like phpldapadmin in able to use the getent or id commands from the servers without any hassle, and obviously not using usermod anymore..
Thanks for your help
Saludos,
Oskar Kossuth Administrador UNIX ANTEL Telecomunicaciones
-----Mensaje original----- De: Michael Ströder [mailto:michael@stroeder.com] Enviado el: Thursday, February 19, 2009 9:10 AM Para: Kossuth Espinosa, Oskar CC: openldap-technical@openldap.org Asunto: Re: Usermod problems with ldap
okossuth@antel.com.uy wrote:
Ok so you are telling me to not use usermod at all and just do the modifications with a LDAP client tool like phpldapadmin?
Yes, if the LDAP client tool manages the right attribute. I don't know phpldapadmin in detail.
This default configuration for group maintenance is in the standard source distribution of web2ldap:
# The definitions for group entry administration groupadm_defs={ 'groupOfNames': ('member',None), 'groupOfUniqueNames': ('uniqueMember',None), 'organizationalRole': ('roleOccupant',None), 'rfc822MailGroup': ('mail','mail'), 'nisMailAlias': ('rfc822MailMember','mail'), 'mailGroup': ('mgrprfc822mailmember','mail'), # Found on IBM SecureWay Directory 'accessGroup': ('member',None), # RFC2370 'posixGroup': ('memberUid','uid'), 'nisNetgroup': ('memberNisNetgroup','uid'), # Samba 3.0 'sambaGroupMapping': ('sambaSID','sambaSID'), # Active Directory 'group': ('member',None), # draft-findlay-ldap-groupofentries 'groupOfEntries': ('member',None), },
I think you get the idea. It can be customized for particular LDAP target servers or name spaces to meet your needs. Being the author of web2ldap I'm biased off course.
Ciao, Michael.
El presente correo y cualquier posible archivo adjunto está dirigido únicamente al destinatario del mensaje y contiene información que puede ser confidencial. Si Ud. no es el destinatario correcto por favor notifique al remitente respondiendo anexando este mensaje y elimine inmediatamente el e-mail y los posibles archivos adjuntos al mismo de su sistema. Está prohibida cualquier utilización, difusión o copia de este e-mail por cualquier persona o entidad que no sean las específicas destinatarias del mensaje. ANTEL no acepta ninguna responsabilidad con respecto a cualquier comunicación que haya sido emitida incumpliendo nuestra Política de Seguridad de la Información. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . This e-mail and any attachment is confidential and is intended solely for the addressee(s). If you are not intended recipient please inform the sender immediately, answering this e-mail and delete it as well as the attached files. Any use, circulation or copy of this e-mail by any person or entity that is not the specific addressee(s) is prohibited. ANTEL is not responsible for any communication emitted without respecting our Information Security Policy.
openldap-technical@openldap.org
-
Michael Ströder -
okossuth@antel.com.uy