[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Assigning Groups to LDAP users



This is exactly what I am trying to achieve as well but with the help of aliased objects so that I have common data (think passwords) across all applicable servers without having to replicate it for each host. I can't however get the  aliases to follow across different dits. 
I'd be curious to know how he deals with scenarios of needing same groups or users on different servers.

On Aug 14, 2011, at 5:35 AM, Dmitriy Kirhlarov <dimma@higis.ru> wrote:

> Hi.
> 
> On 08/12/2011 07:40 PM, Buchan Milne wrote:
>> On Wednesday, 10 August 2011 10:11:17 pradyumna dash wrote:
>>> Guys,
>>> 
>>> I have a query, lets take a scenario :
>>> 
>>> Assume we have 2 servers "Server1" and "Server2" and 2 groups "Admin" and
>>> "ITTech", What is needed is like say when a user "bob" logging
>>> in to "Server1" he will get the group "Admin", but when he logs in to
>>> "Server2" he will get group "ITTech".  Also it may vary for different users
>>> like when "Kris" logs in to Server1 he may get a group called "ITTech" and
>>> when he logs in to "Server2"  he will get some other group say "Security".
>>> Can it be possible by OpenLDAP ?
>> 
>> IMHO, this is a bad idea. It will specifically be problematic if you have any
>> files shared/replicated/backed up between servers (e.g. via NFS).
> 
> We are using this functionality without any problems. :)
> This is feature of nss_ldap.
> 
> ldap:
> personals user groups:
> ou=groups,o=company
> 
> first project groups:
> cn=group1,ou=project1,o=company
> cn=group2,ou=project1,o=company
> 
> second project groups:
> cn=group1,ou=project2,o=company
> cn=group2,ou=project2,o=company
> 
> "Server1" nss_ldap.conf:
> nss_base_group        ou=groups,o=company?sub
> nss_base_group        ou=project1,o=company?one
> 
> "Server2" nss_ldap.conf:
> nss_base_group        ou=groups,o=company?sub
> nss_base_group        ou=project2,o=company?one
> 
> 
> WBR
> 
>>> If this is achieved then we are planning
>>> to have SUDO files based on the grooups.
>> 
>> It would be much more effective to have your sudo rules in LDAP, and apply a
>> rule to a set of users/groups to a collection/netgroup of hosts.
>> 
>> Regards,
>> Buchan
>> 
>