Hi Rich,
I had added the inetUser objectclass on the test cases of groups that failed. I was wondering if I had incorrectly configured arguments of the memberOf plugin. I will read the documentation again.
I should be done rebuilding my instance of 389 in an hour or so.
From: Rich Megginson [mailto:rmeggins@xxxxxxxxxx]
Sent: 03 September 2013 20:47
To: Andy
Cc: 'General discussion list for the 389 Directory server project.'
Subject: Re: Membership of Roles
On 09/03/2013 01:22 PM, Andy wrote:
Hi Rich,
I am having the same problem with groups, so I am wondering if I have groups configured correctly. Especially the configuration of the memberOf plugin.
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Advanced_Entry_Management.html#groups-cmd-memberof
Especially this part:6.1.4.2. Object Classes Which Support memberof Attributes
The most common people object classes — such as
inetorgperson
andperson
— do not allow thememberOf
attribute. To allow the MemberOf Plug-in to add thememberOf
attribute to a user entry, make sure that that entry belongs to theinetUser
object class, which does allow thememberOf
attribute.Similarly, if an attribute other than
memberOf
is used in the user entry, then make sure that the user entry belongs to an object class that allows that attribute.
I’m in the process of reconfiguring my instance of ldap, as it was misbehaving after I tried out various configuration to get roles and groups to work.
From: Rich Megginson [mailto:rmeggins@xxxxxxxxxx]
Sent: 03 September 2013 14:48
To: General discussion list for the 389 Directory server project.
Cc: Andy
Subject: Re: Membership of Roles
On 09/01/2013 05:50 AM, Andy wrote:
Please find additional information on the configuration of the blog system
My configuration:
AuthenticationModule LDAP
LDAPAuthURL ldap://xxxxx:389/dc=sf4u,dc=com?mail
LDAPAuthBindDN cn=Directory Manager (will replace with application user account once phase one integration is completed)
LDAPAuthPassword xxxxxx
LDAPAuthSASLMechanism PLAIN (note SSL not yet configured)
ExternalUserManagement 1
ExternalGroupManagement 1
ExternalUserSyncFrequency 60
LDAPGroupNameAttribute cn
LDAPGroupIdAttribute nsUniqueId
LDAPGroupFullNameAttribute cn
LDAPGroupMemberAttribute memberof
LDAPGroupSearchBase ou=customers,dc=xxx,dc=com
LDAPGroupFilter (objectclass=ldapSubEntry)
LDAPUserIdAttribute uid
LDAPUserEmailAttribute mail
LDAPUserFullNameAttribute cn
LDAPUserGroupMemberAttribute nsrole
I think this is going to be problematic, and may not work at all. With groups, there is an actual group entry, which lists all of the members. With roles, the role entry does not list all of the members. So a query like
SRCH base="ou=customers,dc=xxxx,dc=com" scope=2 filter="(&(|(member=cn=xxxxrolecommentertest,ou=customers,dc=xxxx,dc=com))(objectClass=ldapSubEntry))"
will not work because there is no role entry which lists it's members in a "member" attribute.
If you can configure it to search all of the users, you might be able to do a search like
SRCH base="ou=customers,dc=xxxx,dc=com" scope=2 filter="(nsRole=cn=xxxxrolecommentertest,ou=customers,dc=xxxx,dc=com)"
Roles will automatically populate each user's entry with the nsRole attribute. This attribute lists all of the roles to which that user belongs. nsRole is an operational attribute, so you must explicitly request it on the command line if you want to see it (e.g. in an ldapsearch command).
The default settings for OpenLDAP installations are:
Stage 1
Authentication URL
ldap://<FQDN of LDAP server>:389/dc=xxxx,dc=com?mail
Authentication DN
Authentication Password
Password
Test Username
Test email address
Test Password
Password for test user
Stage 2
Group Search Base Attribute
dc=xxx,dc=com
Group Filter Attribute
(objectClass=groupOfUniqueNames)
Attributes
OpenLDAP
User ID Attribute
entryUUID
Email Attribute
User Fullname Attribute
cn
User Member Attribute
uid
GroupID Attribute
entryUUID
Group Name Attribute
cn
Group Fullname Attribute
cn
Group Member Attribute
memberUid
From: Andy [mailto:racingyacht1@xxxxxxxxx]
Sent: 31 August 2013 13:43
To: '389-users@xxxxxxxxxxxxxxxxxxxxxxx'
Subject: Membership of Roles
Hello
I am testing integration of 389-ds with a blogging system. I plan to use roles instead of groups to automatically give users rights to service on the blog system. However, I am having problems with the system identifying members of roles. I need help with defining the correct search parameters to identify which roles a uid or cn is a member of.
From within the blog system I’m using LDAPGroupFilter (objectclass=ldapSubEntry) to list the roles. The roles list correctly as groups within the blog system.
From within 389 the members of roles are configured as filtered, and I can see the configured members using the Directory Server GUI.
The blog system is not identifying members of roles when it does its search against 389. Note, users can log into the blog system using the accounts created on 389. I don’t think I am applying the correct search criteria to identify group membership. I need advice on creation of the correct search criteria for membership of roles/groups.
Sample log from access
[31/Aug/2013:11:09:39 +0100] conn=265 op=0 BIND dn="cn=Directory Manager" method=128 version=3
[31/Aug/2013:11:09:39 +0100] conn=265 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
[31/Aug/2013:11:09:39 +0100] conn=265 op=1 SRCH base="dc=xxxx,dc=com" scope=2 filter="(&(mail=testuser16@xxxxxxxx)(objectClass=*))" attrs="distinguishedName"
[31/Aug/2013:11:09:39 +0100] conn=265 op=1 RESULT err=0 tag=101 nentries=1 etime=0
[31/Aug/2013:11:09:39 +0100] conn=265 op=2 BIND dn="uid=1000016,ou=Customers,dc=xxxx,dc=com" method=128 version=3
[31/Aug/2013:11:09:39 +0100] conn=265 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=1000016,ou=customers,dc=xxxx,dc=com"
[31/Aug/2013:11:09:39 +0100] conn=265 op=3 BIND dn="cn=Directory Manager" method=128 version=3
[31/Aug/2013:11:09:39 +0100] conn=265 op=3 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
[31/Aug/2013:11:09:39 +0100] conn=265 op=4 SRCH base="dc=xxxx,dc=com" scope=2 filter="(&(mail=testuser16@xxxxxxxx)(objectClass=*))" attrs="uid mail cn mail distinguishedName"
[31/Aug/2013:11:09:39 +0100] conn=265 op=4 RESULT err=0 tag=101 nentries=1 etime=0
[31/Aug/2013:11:09:39 +0100] conn=265 op=5 SRCH base="dc=xxxx,dc=com" scope=2 filter="(|(uid=1000016))" attrs="nsRole"
[31/Aug/2013:11:09:39 +0100] conn=265 op=5 RESULT err=0 tag=101 nentries=1 etime=0
[31/Aug/2013:11:09:39 +0100] conn=265 op=6 SRCH base="ou=customers,dc=xxxx,dc=com" scope=2 filter="(&(|(member=cn=xxxxrolecommentertest,ou=customers,dc=xxxx,dc=com))(objectClass=ldapSubEntry))" attrs="cn cn member nsUniqueId"
[31/Aug/2013:11:09:39 +0100] conn=265 op=6 RESULT err=0 tag=101 nentries=0 etime=0
[31/Aug/2013:11:09:39 +0100] conn=265 op=7 UNBIND
[31/Aug/2013:11:09:39 +0100] conn=265 op=7 fd=68 closed - U1
--389 users mailing list389-users@xxxxxxxxxxxxxxxxxxxxxxxhttps://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users