On 08/14/2011 03:18 PM, pradyumna dash wrote:
Hi,
Thank you so much. I have never worked a lot on nss_ldap so asking some basic questions.
As per you said you guys are running the same in your env.
ldap: personals user groups: ou=groups,o=company first project groups: cn=group1,ou=project1,o=__company cn=group2,ou=project1,o=__company
-- Do i need to create separate OU's for different groups?
Up to you.
You need some "separator" between projects. It can be branch in the tree, or scope "base" in filter configuration from nss_ldap.conf file.
We are prefer branches. It's more readable, when you have many groups and many projects.
second project groups: cn=group1,ou=project2,o=__company cn=group2,ou=project2,o=__company -- How i can specify the users who are a part of which group?
cn=group1,ou=project1,o=company objectClass: posixGroup cn: group1 gidNumber: 1000 description: project1 admin group memberUid: user1 memberUid: user2 memberUid: user3
"Server1" nss_ldap.conf: nss_base_group ou=groups,o=company?sub nss_base_group ou=project1,o=company?one --The syntax in the conf file will be like above ?? Because i have never used ?sub and ?one
It's URI (http://en.wikipedia.org/wiki/URI_scheme) syntax. You should to write second part of URI (after connection description) with base, scope and filter.
"Server2" nss_ldap.conf: nss_base_group ou=groups,o=company?sub nss_base_group ou=project2,o=company?one
Also if you can help, am trying "pwdReset" for my ldap users, in the ppolicy.schema file i have uncommented this attribute but not able to load the schema, if you can give me some pointers would be appreciated. What i want is when firsttime any user logs in he will asked to change his password.
1. try to start slapd with "-d config" 2. take a look to http://www.zytrax.com/books/ldap/ch6/ppolicy.html
WBR
Regards, Neo
I am not a expert in OpenLDAP so please help me. 2011/8/14 Dmitriy Kirhlarov <dimma@higis.ru mailto:dimma@higis.ru>
Hi. On 08/12/2011 07:40 PM, Buchan Milne wrote: On Wednesday, 10 August 2011 10:11:17 pradyumna dash wrote: Guys, I have a query, lets take a scenario : Assume we have 2 servers "Server1" and "Server2" and 2 groups "Admin" and "ITTech", What is needed is like say when a user "bob" logging in to "Server1" he will get the group "Admin", but when he logs in to "Server2" he will get group "ITTech". Also it may vary for different users like when "Kris" logs in to Server1 he may get a group called "ITTech" and when he logs in to "Server2" he will get some other group say "Security". Can it be possible by OpenLDAP ? IMHO, this is a bad idea. It will specifically be problematic if you have any files shared/replicated/backed up between servers (e.g. via NFS). We are using this functionality without any problems. :) This is feature of nss_ldap. ldap: personals user groups: ou=groups,o=company first project groups: cn=group1,ou=project1,o=__company cn=group2,ou=project1,o=__company second project groups: cn=group1,ou=project2,o=__company cn=group2,ou=project2,o=__company "Server1" nss_ldap.conf: nss_base_group ou=groups,o=company?sub nss_base_group ou=project1,o=company?one "Server2" nss_ldap.conf: nss_base_group ou=groups,o=company?sub nss_base_group ou=project2,o=company?one WBR If this is achieved then we are planning to have SUDO files based on the grooups. It would be much more effective to have your sudo rules in LDAP, and apply a rule to a set of users/groups to a collection/netgroup of hosts. Regards, Buchan
openldap-technical@openldap.org