MemberOf group restrictions to a client system (server and client running CentOS 7)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

I'm new to 389-ds and last week downloaded and installed the software.

I have a running instance of the server, and I've added TLS/SSL.   I've configured a CentOS 7 client to be able to query
the server using TLS/SSL, and all appears working.

I've created users and groups on the 389-ds server successfully.   For each user and group, I've enabled posix attributes and my client
can see the unix users and groups using the "getent password" or "getent group" commands.

Now, here's where I'm getting tripped up.......... 

I need to limit which users have access to which systems.  I've been trying to do this via memberOf group limitations.   

I found the following online resource (https://thornelabs.net/2013/01/28/aix-restrict-server-login-via-ldap-groups.html) 
which is close enough to CentOS that the initial commands worked.

I enabled the MemberOf plugin and changed the attributes per the link, and restarted the system.

I created a test group (that I didn't enable a posix GID) and tried to add a single user via:

Right click on group -- > click Properties --> then Members -->   click Add -->  Search for user  --> click Add.

When I try to go this route (which worked before enabling the memberOf plugin) it worked.   Now it seems I get the error:

"Cannot save to directory server.
netscape.ldap.LDAPException: error resiult(65): Object class violation"

And the messages file throws the error (/var/log/dirsrv/slapd-<instancename>/errors:

"Entry "uid=test,ou=People,dc=int,dc=com" -- attribute "memberOf" not allowed
[17/Feb/2016:11:22:58 -0700] memberof-plugin - memberof_postop_modify: failed to add dn (cn=testgroup,ou=Groups,dc=int,dc=com) to target.  Error (65)"

So it seems my server isn't quite using the memberOf plugin properly, but I'm not sure what else to enable.   I'll have to solve this issue before
I even try to filter login access via groups on my client system.


I should mention that if I go under the advanced tab for one of the groups I created, I can add the the attribute "uniquemember", but I'm not sure what I 
should set the "value" to be.  

I've tried creating new users to see if I could set their "uniquemember" attributes, but no luck.  It seems that I don't have the ability to set this attribute
on individual users, only groups.

This might not be the right road to head down when trying to restrict access to servers via groups, so I'm open to any suggestions.

Any suggestions would be appreciated.  
--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux