[Date Prev][Date Next] [Chronological] [Thread] [Top]

Dynamic posixGroup, dynlist overlay

To: openldap-technical@openldap.org
Subject: Dynamic posixGroup, dynlist overlay
From: Wiktor Warmus <wiktor.warmus@ccig.pl>
Date: Thu, 19 Aug 2010 17:42:09 +0200

Hi,

I'm trying to use dynlist overlay as dynamic group container.

system config:
  OS: debian lenny
  slapd: 2.4.11-1

  slapd.conf
  [...]
  moduleload dynlist
  overlay dynlist
  dynlist-attrset groupOfNames labeledURI member


When I do a search like:

ldapsearch -x cn=ssh_admin I get:

# extended LDIF
#
# LDAPv3
# base <dc=domain,dc=com> (default) with scope subtree
# filter: cn=ssh_admin
# requesting: ALL
#

# ssh_admin, Server, domain.com dn:
cn=ssh_admin,ou=Server,dc=domain,dc=com 
objectClass: groupOfNames 
objectClass: labeledURIObject 
objectClass: top 
objectClass: posixGroup 
cn: ssh_admin
member: uid=user1,ou=People,dc=domain,dc=com
member: uid=user2,ou=People,dc=domain,dc=com
labeledURI:ldap:///ou=People,dc=domain,dc=com??sub?(&(objectClass=posixAccount))
gidNumber: 30000

user1 is added manually, since at least one member attribute is required
by groupOfNames (posixGroup is an auxiliary type)

And such a request:
ldapsearch -x "(member=uid=user1,ou=People,dc=domain,dc=com)"

results in:
# extended LDIF
#
# LDAPv3
# base <dc=domain,dc=com> (default) with scope subtree
# filter: (member=uid=user1,ou=People,dc=domain,dc=com)
# requesting: ALL
#

# ssh_admin, Server, domain.com dn:
cn=ssh_admin,ou=Server,dc=domain,dc=com 
objectClass: groupOfNames 
objectClass: labeledURIObject 
objectClass: top 
objectClass: posixGroup 
cn: ssh_admin
member: uid=user1,ou=People,dc=domain,dc=com
member: uid=user2,ou=People,dc=domain,dc=com
labeledURI:ldap:///ou=People,dc=domain,dc=com??sub?(&(objectClass=posixAccount))
gidNumber: 30000


BUT with this one, which is a search done by a linux system when, e.g.
doing  id user2:
ldapsearch -x "(member=uid=user2,ou=People,dc=domain,dc=com)"

I get:
# extended LDIF
#
# LDAPv3
# base <dc=domain,dc=com> (default) with scope subtree
# filter: (member=uid=user2,ou=People,dc=domain,dc=com)
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1


My question is: how to make use of dynlist to get it working with a
linux system, to automate group assignments. Or is there another way to
do it?

The goal is to have a dynamic posixGroups generated upon some specified
filters, as shown in the example, to manage the authorization to a
service (for instance sshd).

Thanks for any suggestions and help.


-- 
Wiktor Warmus

Prev by Date: Re: Notification of userPassword change in OpenLDAP?
Next by Date: RE: Openldap2.4.16 performance issue
Index(es):
- Chronological
- Thread