Hey;
Here's the end goal: Have the ability to have posixgroup style support for gid <-> group_name translation and the ability to use memberof style searches without data duplication.
In short:
# ldapsearch -xLLL -s sub '(uid=doleary)' memberof dn: uid=doleary,ou=users,dc=oci,dc=com memberOf: cn=infra,ou=groups,dc=oci,dc=com memberOf: cn=ldap-Administrators,ou=groups,dc=oci,dc=com memberOf: cn=infosec,ou=groups,dc=oci,dc=com memberOf: cn=dba,ou=groups,dc=oci,dc=com
and
# groups doleary doleary : ldap-users ldap-Administrators infosec infra
Using a standard rfc2307 install, the only way I was able to get there was by having duplicate groups, one posix and one groupofnames.
I've been playing around with rfc2307bis the last few days. While I'm able to have one group, in order to support the desired functionality, I still have to have two member types in that group - member and memberuid:
# ldap -search cn=infra ----------------------------------------------------------------------- dn:cn=infra,ou=groups,dc=oci,dc=com
cn: infra objectClass: top groupOfNames posixGroup member: cn=admin,dc=oci,dc=com uid=doleary,ou=users,dc=oci,dc=com description: System Admins gidNumber: 610 memberUid: doleary
Short version: is there a way to achieve this ability without duplicating data?
Any info greatly appreciated. Thanks for your time.
Doug O'Leary ------------ Senior UNIX/Security Admin CISSP, CISA, RHCE, CEH O'Leary Computers Inc dkoleary@olearycomputers.com (w) 630-904-6098 (c) 630-248-2749 linkedin: http://www.linkedin.com/in/dkoleary resume: http://www.olearycomputers.com/resume.html
Doug OLeary wrote:
Hey;
Here's the end goal: Have the ability to have posixgroup style support for gid <-> group_name translation and the ability to use memberof style searches without data duplication.
In short:
# ldapsearch -xLLL -s sub '(uid=doleary)' memberof dn: uid=doleary,ou=users,dc=oci,dc=com memberOf: cn=infra,ou=groups,dc=oci,dc=com memberOf: cn=ldap-Administrators,ou=groups,dc=oci,dc=com memberOf: cn=infosec,ou=groups,dc=oci,dc=com memberOf: cn=dba,ou=groups,dc=oci,dc=com
and
# groups doleary doleary : ldap-users ldap-Administrators infosec infra
Using a standard rfc2307 install, the only way I was able to get there was by having duplicate groups, one posix and one groupofnames.
I've been playing around with rfc2307bis the last few days. While I'm able to have one group, in order to support the desired functionality, I still have to have two member types in that group - member and memberuid:
An LDAP NSS module properly configured to use rfc2307bis doesn't need or use memberuid.
OpenLDAP nssov just uses rfc2307bis by default.
Hey;
An LDAP NSS module properly configured to use rfc2307bis doesn't need or use memberuid.
OpenLDAP nssov just uses rfc2307bis by default.
Interesting. So, it is possible to get where I'm going and member is the attribute that it should be looking for. Thank you. That gives me another avenue to explore
Doug O'Leary ------------ Senior UNIX/Security Admin CISSP, CISA, RHCE, CEH O'Leary Computers Inc dkoleary@olearycomputers.com (w) 630-904-6098 (c) 630-248-2749 linkedin: http://www.linkedin.com/in/dkoleary resume: http://www.olearycomputers.com/resume.html
On Sun, 25 May 2014, Doug OLeary wrote:
An LDAP NSS module properly configured to use rfc2307bis doesn't need or use memberuid.
OpenLDAP nssov just uses rfc2307bis by default.
Interesting. So, it is possible to get where I'm going and member is the attribute that it should be looking for. Thank you. That gives me another avenue to explore
Excellent! That was the exact clue I needed. Thank you very much, sir! Fully functional exactly the way it should be with no duplication of data.
Appreciate it no end.
Short version of the fix for Centos 6.5:
Troubleshooting existing issues w/sssd and adding:
ldap_schema = rfc2307bis # was already there; but may have had issues ldap_group_member = member
to sssd.conf.
Doug O'Leary ------------ Senior UNIX/Security Admin CISSP, CISA, RHCE, CEH O'Leary Computers Inc dkoleary@olearycomputers.com (w) 630-904-6098 (c) 630-248-2749 linkedin: http://www.linkedin.com/in/dkoleary resume: http://www.olearycomputers.com/resume.html
openldap-technical@openldap.org
-
Doug OLeary -
Howard Chu