Hi Mark,
Thanks for all your help. This is a new ldap server, so I'll try to go
the upgrade route.
For short-term testing of the memberOf restrictions to my CentOS client
system, I've gone ahead and added the inetUser to the objectclass of
a couple of my test users.
I'll see if I can now get filtering to work.
Cheers,
On 2/17/16 6:51 PM, Mark Reynolds wrote:
On 02/17/2016 04:45 PM, Janet Houser wrote:
Hi Mark,
Thanks for responding so quickly. Fortunately I'm running
1.3.4.0-26, so I should be able to have the memberOf plugin
automatically add the "inetuser" to my entries if needed.
Sorry this fix was a not released until 1.3.4.5-1. I'm not sure if
you can upgrade or not, if not you'll need to manually add this
objectclass to your user entries.
Regards,
Mark
I took a look at the document you mentioned (thanks!), and I'm still
a bit confused (apologies for being thick).
I'm in the Advanced settings of the MemberOf plugin, and there isn't
an option to add the attribute "memberofAutoAddOC" and set
the default value to inetUser.
An ldapsearch still fails to show any entries with cn=MemberOf
Plugin,.....
I'm sure I'm missing the obvious. Any suggestions would be
appreciated.
Thanks.
On 2/17/16 12:58 PM, Mark Reynolds wrote:
The memberOf plugin is trying to add the "memberOf" attribute to the
entry, but the entry is missing an objectclass that allows
"memberOf". Typically you need to add "objectclass: inetuser" to
all your entries for memberOf Plugin to work as you'd expect.
If you are using "389-ds-base-1.3.4" or later, the memberOf plugin
can automatically add "inetuser" to the entries for you(if it is
missing).
http://www.port389.org/docs/389ds/design/memberof-auto-add-oc.html
Mark
On 02/17/2016 01:37 PM, houser@xxxxxxx wrote:
Hi,
I'm new to 389-ds and last week downloaded and installed the software.
I have a running instance of the server, and I've added TLS/SSL.
I've configured a CentOS 7 client to be able to query
the server using TLS/SSL, and all appears working.
I've created users and groups on the 389-ds server successfully.
For each user and group, I've enabled posix attributes and my client
can see the unix users and groups using the "getent password" or
"getent group" commands.
Now, here's where I'm getting tripped up..........
I need to limit which users have access to which systems. I've been
trying to do this via memberOf group limitations.
I found the following online resource
(https://thornelabs.net/2013/01/28/aix-restrict-server-login-via-ldap-groups.html)
which is close enough to CentOS that the initial commands worked.
I enabled the MemberOf plugin and changed the attributes per the
link, and restarted the system.
I created a test group (that I didn't enable a posix GID) and tried
to add a single user via:
Right click on group -- > click Properties --> then Members -->
click Add --> Search for user --> click Add.
When I try to go this route (which worked before enabling the
memberOf plugin) it worked. Now it seems I get the error:
"Cannot save to directory server.
netscape.ldap.LDAPException: error resiult(65): Object class
violation"
And the messages file throws the error
(/var/log/dirsrv/slapd-<instancename>/errors:
"Entry "uid=test,ou=People,dc=int,dc=com" -- attribute "memberOf"
not allowed
[17/Feb/2016:11:22:58 -0700] memberof-plugin -
memberof_postop_modify: failed to add dn
(cn=testgroup,ou=Groups,dc=int,dc=com) to target. Error (65)"
So it seems my server isn't quite using the memberOf plugin
properly, but I'm not sure what else to enable. I'll have to
solve this issue before
I even try to filter login access via groups on my client system.
I should mention that if I go under the advanced tab for one of the
groups I created, I can add the the attribute "uniquemember", but
I'm not sure what I
should set the "value" to be.
I've tried creating new users to see if I could set their
"uniquemember" attributes, but no luck. It seems that I don't have
the ability to set this attribute
on individual users, only groups.
This might not be the right road to head down when trying to
restrict access to servers via groups, so I'm open to any suggestions.
Any suggestions would be appreciated.
--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
