[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Assigning Groups to LDAP users
On 08/14/2011 03:18 PM, pradyumna dash wrote:
Hi,
Thank you so much. I have never worked a lot on nss_ldap so asking some
basic questions.
As per you said you guys are running the same in your env.
ldap:
personals user groups:
ou=groups,o=company
first project groups:
cn=group1,ou=project1,o=__company
cn=group2,ou=project1,o=__company
-- Do i need to create separate OU's for different groups?
Up to you.
You need some "separator" between projects. It can be branch in the
tree, or scope "base" in filter configuration from nss_ldap.conf file.
We are prefer branches. It's more readable, when you have many groups
and many projects.
second project groups:
cn=group1,ou=project2,o=__company
cn=group2,ou=project2,o=__company
-- How i can specify the users who are a part of which group?
cn=group1,ou=project1,o=company
objectClass: posixGroup
cn: group1
gidNumber: 1000
description: project1 admin group
memberUid: user1
memberUid: user2
memberUid: user3
"Server1" nss_ldap.conf:
nss_base_group ou=groups,o=company?sub
nss_base_group ou=project1,o=company?one
--The syntax in the conf file will be like above ?? Because i have never
used ?sub and ?one
It's URI (http://en.wikipedia.org/wiki/URI_scheme) syntax.
You should to write second part of URI (after connection description)
with base, scope and filter.
"Server2" nss_ldap.conf:
nss_base_group ou=groups,o=company?sub
nss_base_group ou=project2,o=company?one
Also if you can help, am trying "pwdReset" for my ldap users, in the
ppolicy.schema file i have uncommented this attribute but not able to
load the schema, if you can give me some pointers would be appreciated.
What i want is when firsttime any user logs in he will asked to change
his password.
1. try to start slapd with "-d config"
2. take a look to http://www.zytrax.com/books/ldap/ch6/ppolicy.html
WBR
Regards,
Neo
I am not a expert in OpenLDAP so please help me.
2011/8/14 Dmitriy Kirhlarov <dimma@higis.ru <mailto:dimma@higis.ru>>
Hi.
On 08/12/2011 07:40 PM, Buchan Milne wrote:
On Wednesday, 10 August 2011 10:11:17 pradyumna dash wrote:
Guys,
I have a query, lets take a scenario :
Assume we have 2 servers "Server1" and "Server2" and 2
groups "Admin" and
"ITTech", What is needed is like say when a user "bob" logging
in to "Server1" he will get the group "Admin", but when he
logs in to
"Server2" he will get group "ITTech". Also it may vary for
different users
like when "Kris" logs in to Server1 he may get a group
called "ITTech" and
when he logs in to "Server2" he will get some other group
say "Security".
Can it be possible by OpenLDAP ?
IMHO, this is a bad idea. It will specifically be problematic if
you have any
files shared/replicated/backed up between servers (e.g. via NFS).
We are using this functionality without any problems. :)
This is feature of nss_ldap.
ldap:
personals user groups:
ou=groups,o=company
first project groups:
cn=group1,ou=project1,o=__company
cn=group2,ou=project1,o=__company
second project groups:
cn=group1,ou=project2,o=__company
cn=group2,ou=project2,o=__company
"Server1" nss_ldap.conf:
nss_base_group ou=groups,o=company?sub
nss_base_group ou=project1,o=company?one
"Server2" nss_ldap.conf:
nss_base_group ou=groups,o=company?sub
nss_base_group ou=project2,o=company?one
WBR
If this is achieved then we are planning
to have SUDO files based on the grooups.
It would be much more effective to have your sudo rules in LDAP,
and apply a
rule to a set of users/groups to a collection/netgroup of hosts.
Regards,
Buchan