Re: Question about 389-ds and Solaris

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 11/16/2012 08:08 AM, Jean-Francois Saucier wrote:
On Fri, Nov 16, 2012 at 9:58 AM, Rich Megginson <rmeggins@xxxxxxxxxx> wrote:
On 11/16/2012 07:51 AM, Jean-Francois Saucier wrote:
On Fri, Nov 16, 2012 at 2:18 AM, Carsten Grzemba <grzemba@xxxxxxxxxxxx> wrote:


Am 14.11.12, schrieb Jean-Francois Saucier <jsaucier@xxxxxxxxx>:
Hi everyone,

I just installed 389-ds on Fedora and have a problem with Solaris clients.

Everything works well on the Linux side (Fedora, CentOS and RHEL clients works fine).

On the Solaris side, I got everything to work too (pam, ssh, getent passwd, getent group, ldaplist -l paswd, ldaplist -l group, etc). I used the native Solaris ldapclient tool to make everything work.

The problem I have is with the Group attribute. In 389-ds, the group are created with the objectClass "groupofuniquenames" and the members are listed with the attribute "uniqueMember". I manually add the objectClass "posixgroup" to allow the group to be visible on the client.

With this configuration, everything work fine in Linux. In Solaris, I can see the group with "getent group" but there are no member. What I have found is that Solaris need it's member to be in the "memberUid" attribute and not in the "uniqueMember" attribute.
memberUid is standard for posixGroups and works for Linux clients too.


I know that Linux can use both memberUid and uniqueMember, see the next answer for more information about the problem. 


Also, I found that while uniqueMember require a full qualification (uid=jeff,ou=people,dc=test,dc=com), the memberUid just require the uid (jeff).


What should I do to make this work easy on Solaris? Adding the memberUid by hand is not an option because it's sure there will be a difference between the uniqueMember and memberUid list in some point in time.
How you add uniqueMember? If you want to continue to maintain uniqueMember than you have the following options:
- try to use winbind of Samba on the Solaris client to resolve the groups
- map uniqueMember to memberUid with a script in your preferred scripting language
- in an AD - DS replication setup there is contained a logic which maps uniquemember to memberUid automatically. This can also  triggered via a task.

The uniqueMember attribute is added by default when you create a group in 389-ds. If I choose to create a group in the console, the default is objectClass=groupOfUniqueNames with the uniqueMember attribute. If I manually create a group with just objectClass=posixGroup and memberUid, the default interface to add member to a group in 389-ds doesn't work anymore.

For the map, I tried and it "work" Why I say that it "work"? Because the uniqueMember attribute created by 389-ds is in the "uid=jeff,ou=people,dc=test,dc=com" format and the memberUid format is supposed to be in the "jeff" format. So, when I map both attribute on the Solaris side, what I see in "getent group" are the "uid=jeff,ou=people,dc=test,dc=com" string that Solaris doesn't understand.

For AD, in the documentation it says that it sync based on the uniqueMember attribute and I saw nothing to make it work with memberUid : https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Using_Windows_Sync-Synchronizing_Groups.html


389-ds-base-1.2.11 winsync added support for posix attributes, including memberUid for posix groups synced from AD (Thanks Carsten!) see http://port389.org/wiki/WinSync_Posix



Nice one, I didn't saw it. I will try this new version. Thanks to Carsten!

Now, what should I do if I want to create my group with the "New group" interface in the console but use the posixGroup objectClass in place of groupOfUniqueNames?

idm-console-framework 1.1.7 added support for posix groups (also thanks to Carsten!) - see http://git.fedorahosted.org/cgit/idm-console-framework.git/commit/?id=a77731fbd8258ca0e4803e936688d2a543ea9f50

I know I can create a new object manually and give it the objectClass I want but what if I want to use the "New group" dialog? The interface I talk is this one : http://www.linuxmail.info/images/centos-5/389-ds-create-new-group.png

Is it something that I missed?
 

Thanks a lot for your answer.



Thank you!

--
Jean-Francois Saucier (djf_jeff)
GPG key : 0xA9E6E953
Regards
--
Carsten Grzemba

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users



--
Jean-Francois Saucier (djf_jeff)
GPG key : 0xA9E6E953


--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users




--
Jean-Francois Saucier (djf_jeff)
GPG key : 0xA9E6E953

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux