[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
openldap memberof attribute
- To: openldap-technical@openldap.org
- Subject: openldap memberof attribute
- From: Vincent Li <vincent.mc.li@gmail.com>
- Date: Wed, 26 Jan 2011 11:05:00 -0800
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:date:message-id:subject:from:to :content-type; bh=R1D7wEB9NCuSk43GuY713Jgj0IiMpXPAfJWQdRo+L+o=; b=iadiS/KB+9duXMmlM61b3+iGJcG/6OvuXg14mLVYUcFypoQuxvn8EATh0rezX+TyRV d9X/Fq2xFjRvX2nD2+etCNcyw9X0VNY+JlgME+4Wgy5iffUfm12QFEUr6pANdcPNCgXM o9FWGsXd/x6Zohv+rT25SYIpJwQBuDSqt3OKo=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=LSaX9CRt7RLoEm6mWIRy1mOioZ7yRAj9WjmYzMcFtI+rveLc8Yry0LeBQMCIe87Y/X dB7FN/YDnoB0Z5ZGLJfO7HVHs3Ckz+Ag2gwm87DlDKGbWHb1sHpABbO/yRZvmMvcY6ZX kffZPKpNXMmg7gL5vZSFmqvr8UeOgSdZvC/kE=
Hi,
I am doing remote authentication using OpenLDAP to login BIGIP, BIGIP
has a feature called remoterole to search attribute 'memberof' from
LDAP server and once found the attribute, assign the remote user a
role defined in various groups like admin, operator... the feature
works for Active Directory, but I am unable to make it work for
OpenLDAP, I couldn't find 'memberof' attribute in OpenLDAP schema, so
I created the 'memberof' attribute in core.schema as below:
[root@centos-vli schema]# diff -u core.schema core.schema.orig
--- core.schema 2011-01-24 23:54:42.000000000 -0800
+++ core.schema.orig 2011-01-24 23:46:11.000000000 -0800
@@ -345,10 +345,6 @@
DESC 'X.520(4th): pseudonym for the object'
SUP name )
-attributetype ( 2.5.4.66 NAME 'memberof'
- DESC 'RFC2256: member of a group'
- SUP distinguishedName )
-
# Standard object classes from RFC2256
# system schema
@@ -425,7 +421,7 @@
objectclass ( 2.5.6.9 NAME 'groupOfNames'
DESC 'RFC2256: a group of names (DNs)'
SUP top STRUCTURAL
- MUST ( member $ memberof $ cn )
+ MUST ( member $ cn )
MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) )
objectclass ( 2.5.6.10 NAME 'residentialPerson'
and here is my sample ldif file:
dn: ou=groups,dc=example,dc=com
objectclass:organizationalunit
ou: groups
description: generic groups branch
# create the itpeople entry under groups
dn: cn=administrator,ou=groups,dc=example,dc=com
objectclass: groupofnames
cn: administrator
description: bigip admin group
member: uid=user5,ou=people,dc=example,dc=com
dn: uid=user5,ou=People,dc=example,dc=com
uid: user5
cn: user5
objectClass: top
objectClass: posixaccount
objectClass: shadowaccount
objectClass: groupOfNames
userPassword: secret
shadowLastChange: 14997
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 505
gidNumber: 505
homeDirectory: /home/user5
member: cn=administrator,ou=groups,dc=example,dc=com
memberof: cn=administrator,ou=groups,dc=example,dc=com
I can login BIGIP fine with user5, but I can't get the administrator
role defined in BIGIP, is it something I configured wrong in OpenLDAP
or the problem is on BIGIP
Thanks
Vincent