Re: MemberOf Plugin Question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 03/27/2013 09:55 AM, Chandan Kumar wrote:
Hello,

I have two questions on same line, and these answers will be very helpful.

1)

The MemberOf plugin works wonderful using SSSD at client side, however, is it possible to have the same kind of Control at the Server side?

I mean, could I have the ability to control user's Authentication on a Host machine based on it's group or other parameter very much the same way that now I am doing with memberOf/sssd.conf at the Host Machine.

Not exactly - http://port389.org/wiki/Howto:Netgroups


2) 

I know this is not IPA group, in case someone knows. Does IPA supports that feature at the server side? or using sssd.conf at the host machine?

Any pointers to RTFM would also be helpful. :-)

Thanks
Chandan

On Friday, March 22, 2013, Chandan Kumar wrote:
Hi Rich,

ops! my bad. Thank you so much for pointing that out. Now I could see MemberOf attribute in my user entries.

Thanks again!

--Chandan

On Friday, March 22, 2013, Rich Megginson wrote:
On 03/22/2013 11:06 AM, Chandan Kumar wrote:
Hello,

So far I have been managed to do some setup of 389 server, thanks to prompt community.

Now, I am having some trouble in getting the MemberOf plugin work for 389-ds-base-1.2.11.15-11. When I add a user into a group, the memberOf attribute is not being added to the user entry.

While googling a bit I came across an older post of this group


based on that, I checked dse.ldif and the Plugin configuration also looks good.

Too bad that google didn't send you here:
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Advanced_Entry_Management.html#groups-cmd-memberof

Specifically:
"6.1.4.2. Object Classes Which Support memberof Attributes
The most common people object classes — such as inetorgperson and person — do not allow the memberOf attribute. To allow the MemberOf Plug-in to add the memberOf attribute to a user entry, make sure that that entry belongs to the inetUser object class, which does allow the memberOf attribute."

Even in the link you posted:
"         objectClass: shadowaccount
                objectClass: inetuser
        physicalDeliveryOfficeName: Kennebunk
...
"



dn: cn=MemberOf Plugin,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: MemberOf Plugin
nsslapd-pluginPath: libmemberof-plugin
nsslapd-pluginInitfunc: memberof_postop_init
nsslapd-pluginType: postoperation
nsslapd-pluginEnabled: on
nsslapd-plugin-depends-on-type: database
memberofgroupattr: uniqueMember
memberofattr: memberOf
nsslapd-pluginId: memberof
nsslapd-pluginVersion: 1.2.11.15
nsslapd-pluginVendor: 389 Project
nsslapd-pluginDescription: memberof plugin
modifiersName: cn=directory manager
modifyTimestamp: 20130322162350Z

The way I am adding users :

dn: uid=chandank,ou=People,dc=ma,dc=net
objectclass: person
objectclass: inetorgperson
objectclass: posixAccount
cn: Chandan
sn: k
givenName: chandank
uid:chandank
uidNumber:5006
gidNumber:5006
objectclass: mepOriginEntry
mepManagedEntry: cn=chandank
homeDirectory: /home/chandank
loginShell: /bin/bash

The way I am adding them into a group:

dn: cn=sys,ou=Groups,dc=ma,dc=net
changetype: modify
add: uniqueMember
uniqueMember: uid=chandank,ou=People,dc=ma,dc=net

And after I have added the user I am expecting an MemberOf attribute entry in the user entry itself. I am not sure whether it is the right way to do so.

For the records: Having MemberOf attribute in the user entry would allow me use ldap Access filters in sssd.conf file eg.
"ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com" and hence will be able to restrict users from login on different systems.

Thanks
Chandan



--

--



--

--


--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux