Hi,
I'm trying to use dynlist overlay as dynamic group container.
system config: OS: debian lenny slapd: 2.4.11-1
slapd.conf [...] moduleload dynlist overlay dynlist dynlist-attrset groupOfNames labeledURI member
When I do a search like:
ldapsearch -x cn=ssh_admin I get:
# extended LDIF # # LDAPv3 # base <dc=domain,dc=com> (default) with scope subtree # filter: cn=ssh_admin # requesting: ALL #
# ssh_admin, Server, domain.com dn: cn=ssh_admin,ou=Server,dc=domain,dc=com objectClass: groupOfNames objectClass: labeledURIObject objectClass: top objectClass: posixGroup cn: ssh_admin member: uid=user1,ou=People,dc=domain,dc=com member: uid=user2,ou=People,dc=domain,dc=com labeledURI:ldap:///ou=People,dc=domain,dc=com??sub?(&(objectClass=posixAccount)) gidNumber: 30000
user1 is added manually, since at least one member attribute is required by groupOfNames (posixGroup is an auxiliary type)
And such a request: ldapsearch -x "(member=uid=user1,ou=People,dc=domain,dc=com)"
results in: # extended LDIF # # LDAPv3 # base <dc=domain,dc=com> (default) with scope subtree # filter: (member=uid=user1,ou=People,dc=domain,dc=com) # requesting: ALL #
# ssh_admin, Server, domain.com dn: cn=ssh_admin,ou=Server,dc=domain,dc=com objectClass: groupOfNames objectClass: labeledURIObject objectClass: top objectClass: posixGroup cn: ssh_admin member: uid=user1,ou=People,dc=domain,dc=com member: uid=user2,ou=People,dc=domain,dc=com labeledURI:ldap:///ou=People,dc=domain,dc=com??sub?(&(objectClass=posixAccount)) gidNumber: 30000
BUT with this one, which is a search done by a linux system when, e.g. doing id user2: ldapsearch -x "(member=uid=user2,ou=People,dc=domain,dc=com)"
I get: # extended LDIF # # LDAPv3 # base <dc=domain,dc=com> (default) with scope subtree # filter: (member=uid=user2,ou=People,dc=domain,dc=com) # requesting: ALL #
# search result search: 2 result: 0 Success
# numResponses: 1
My question is: how to make use of dynlist to get it working with a linux system, to automate group assignments. Or is there another way to do it?
The goal is to have a dynamic posixGroups generated upon some specified filters, as shown in the example, to manage the authorization to a service (for instance sshd).
Thanks for any suggestions and help.
openldap-technical@openldap.org
-
Wiktor Warmus