Re: Membership of Roles

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



If you had your users and groups created before enabling memberOf, you'll need to modify their group membership (per user, easiest would be to add all to a temporary group then remove the group after memberOf populates) to trigger memberOf creation. It only gets set on changes, and won't autogenerate for existing memberships until a change occurs. It WILL regenerate all memberships even if you change just one, so you can just throw everyone into a group as I said to trigger it. There was a script in some FDS / 389DS howto someplace that was supposed to background trigger it, but I never got it to work.


On Tue, Sep 3, 2013 at 3:47 PM, Andy <racingyacht1@xxxxxxxxx> wrote:

Hi Rich,

I had added the inetUser objectclass on the test cases of groups that failed. I was wondering if I had incorrectly configured arguments of the memberOf plugin. I will read the documentation again.

 

I should be done rebuilding my instance of 389 in an hour or so.

 

From: Rich Megginson [mailto:rmeggins@xxxxxxxxxx]
Sent: 03 September 2013 20:47
To: Andy
Cc: 'General discussion list for the 389 Directory server project.'


Subject: Re: Membership of Roles

 

On 09/03/2013 01:22 PM, Andy wrote:

Hi Rich,

I am having the same problem with groups, so I am wondering if I have groups configured correctly. Especially the configuration of the memberOf plugin.


https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Advanced_Entry_Management.html#groups-cmd-memberof

Especially this part:

6.1.4.2. Object Classes Which Support memberof Attributes

The most common people object classes — such as inetorgperson and person — do not allow the memberOf attribute. To allow the MemberOf Plug-in to add the memberOf attribute to a user entry, make sure that that entry belongs to the inetUser object class, which does allow the memberOf attribute.

Similarly, if an attribute other than memberOf is used in the user entry, then make sure that the user entry belongs to an object class that allows that attribute.




I’m in the process of reconfiguring my instance of ldap, as it was misbehaving after I tried out various configuration to get roles and groups to work.

 

From: Rich Megginson [mailto:rmeggins@xxxxxxxxxx]
Sent: 03 September 2013 14:48
To: General discussion list for the 389 Directory server project.
Cc: Andy
Subject: Re: Membership of Roles

 

On 09/01/2013 05:50 AM, Andy wrote:

Please find additional information on the configuration of the blog system

 

My configuration:

 

AuthenticationModule LDAP

LDAPAuthURL ldap://xxxxx:389/dc=sf4u,dc=com?mail

LDAPAuthBindDN cn=Directory Manager (will replace with application user account once phase one integration is completed)

LDAPAuthPassword xxxxxx

LDAPAuthSASLMechanism PLAIN  (note SSL not yet configured)

ExternalUserManagement 1

ExternalGroupManagement 1

ExternalUserSyncFrequency 60

LDAPGroupNameAttribute cn

LDAPGroupIdAttribute nsUniqueId

LDAPGroupFullNameAttribute cn

LDAPGroupMemberAttribute memberof

LDAPGroupSearchBase ou=customers,dc=xxx,dc=com

LDAPGroupFilter (objectclass=ldapSubEntry)

LDAPUserIdAttribute uid

LDAPUserEmailAttribute mail

LDAPUserFullNameAttribute cn

LDAPUserGroupMemberAttribute nsrole


I think this is going to be problematic, and may not work at all.  With groups, there is an actual group entry, which lists all of the members.  With roles, the role entry does not list all of the members.  So a query like
SRCH base="ou=customers,dc=xxxx,dc=com" scope=2 filter="(&(|(member=cn=xxxxrolecommentertest,ou=customers,dc=xxxx,dc=com))(objectClass=ldapSubEntry))"

will not work because there is no role entry which lists it's members in a "member" attribute.

If you can configure it to search all of the users, you might be able to do a search like

SRCH base="ou=customers,dc=xxxx,dc=com" scope=2 filter="(nsRole=cn=xxxxrolecommentertest,ou=customers,dc=xxxx,dc=com)"

Roles will automatically populate each user's entry with the nsRole attribute.  This attribute lists all of the roles to which that user belongs.  nsRole is an operational attribute, so you must explicitly request it on the command line if you want to see it (e.g. in an ldapsearch command).



 

The default settings for OpenLDAP installations are:

Stage 1

 

Authentication URL

ldap://<FQDN of LDAP server>:389/dc=xxxx,dc=com?mail

Authentication DN

Authentication Password

Password

Test Username

Test email address

Test Password

Password for test user

 

 

Stage 2

 

Group Search Base Attribute

dc=xxx,dc=com

Group Filter Attribute

(objectClass=groupOfUniqueNames)

 

 

Attributes

OpenLDAP

User ID Attribute

entryUUID

Email Attribute

mail

User Fullname Attribute

cn

User Member Attribute

uid

GroupID Attribute

entryUUID

Group Name Attribute

cn

Group Fullname Attribute

cn

Group Member Attribute

memberUid

 

 

From: Andy [mailto:racingyacht1@xxxxxxxxx]
Sent: 31 August 2013 13:43
To: '389-users@xxxxxxxxxxxxxxxxxxxxxxx'
Subject: Membership of Roles

 

Hello

I am testing integration of 389-ds with a blogging system. I plan to use roles instead of groups to automatically give users rights to service on the blog system. However, I am having problems with the system identifying members of roles. I need help with defining the correct search parameters to identify which roles a uid or cn is a member of.

 

From within the blog system I’m using LDAPGroupFilter (objectclass=ldapSubEntry) to list the roles. The roles list correctly as groups within the blog system.

From within 389 the members of roles are configured as filtered, and I can see the configured members using the Directory Server GUI.

 

The blog system is not identifying members of roles when it does its search against 389. Note, users can log into the blog system using the accounts created on 389. I don’t think I am applying the correct search criteria to identify group membership. I need advice on creation of the correct search criteria for membership of roles/groups.

 

 

Sample log from access

 

[31/Aug/2013:11:09:39 +0100] conn=265 op=0 BIND dn="cn=Directory Manager" method=128 version=3

[31/Aug/2013:11:09:39 +0100] conn=265 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"

[31/Aug/2013:11:09:39 +0100] conn=265 op=1 SRCH base="dc=xxxx,dc=com" scope=2 filter="(&(mail=testuser16@xxxxxxxx)(objectClass=*))" attrs="distinguishedName"

[31/Aug/2013:11:09:39 +0100] conn=265 op=1 RESULT err=0 tag=101 nentries=1 etime=0

[31/Aug/2013:11:09:39 +0100] conn=265 op=2 BIND dn="uid=1000016,ou=Customers,dc=xxxx,dc=com" method=128 version=3

[31/Aug/2013:11:09:39 +0100] conn=265 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=1000016,ou=customers,dc=xxxx,dc=com"

[31/Aug/2013:11:09:39 +0100] conn=265 op=3 BIND dn="cn=Directory Manager" method=128 version=3

[31/Aug/2013:11:09:39 +0100] conn=265 op=3 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"

[31/Aug/2013:11:09:39 +0100] conn=265 op=4 SRCH base="dc=xxxx,dc=com" scope=2 filter="(&(mail=testuser16@xxxxxxxx)(objectClass=*))" attrs="uid mail cn mail distinguishedName"

[31/Aug/2013:11:09:39 +0100] conn=265 op=4 RESULT err=0 tag=101 nentries=1 etime=0

[31/Aug/2013:11:09:39 +0100] conn=265 op=5 SRCH base="dc=xxxx,dc=com" scope=2 filter="(|(uid=1000016))" attrs="nsRole"

[31/Aug/2013:11:09:39 +0100] conn=265 op=5 RESULT err=0 tag=101 nentries=1 etime=0

[31/Aug/2013:11:09:39 +0100] conn=265 op=6 SRCH base="ou=customers,dc=xxxx,dc=com" scope=2 filter="(&(|(member=cn=xxxxrolecommentertest,ou=customers,dc=xxxx,dc=com))(objectClass=ldapSubEntry))" attrs="cn cn member nsUniqueId"

[31/Aug/2013:11:09:39 +0100] conn=265 op=6 RESULT err=0 tag=101 nentries=0 etime=0

[31/Aug/2013:11:09:39 +0100] conn=265 op=7 UNBIND

[31/Aug/2013:11:09:39 +0100] conn=265 op=7 fd=68 closed - U1

 

 





--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users

 

 


--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users

[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux