Hello,
I try to set up my own posix-group to get a dynamic posix-group to use
it to give filesystempermission. So I did the following:
1. Create to new objectclasses:
------------
objectclass (1.3.6.1.4.1.23456.1.2.1 NAME 'stkaPosixGroup'
DESC 'advanced PosixGroup for dynamic use'
SUP top AUXILIARY
MUST ( cn $ gidNumber )
MAY ( userPassword $ memberUid $ description ) )
objectclass (1.3.6.1.4.1.23456.1.2.2 NAME 'stkaPosixAccount'
DESC 'advanced PosixAccount for dynamic use'
SUP posixAccount AUXILIARY
MAY ( memberUID ))
------------
YES I know 23456 is not my ODI. It's still a test!
2. Then I configured the dynlist-overlay in slad.conf
------------
overlay dynlist
dynlist-attrset groupOfURLs MemberURL
------------
3. I created a new dynamic group:
------------
dn: cn=dynposix,ou=groups,dc=example,dc=net
objectClass: groupOfURLs
objectClass: stkaPosixGroup
gidNumber: 5000
cn: dynposix
memberURL: ldap:///dc=example,dc=net?memberuid?sub?(title=admin)
------------
4. I added the new objectclass stkaPosixAccout to my users:
------------
dn: cn=Stefan Kania,ou=users,dc=example,dc=net
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: stkaPosixAccount
loginShell: /bin/bash
homeDirectory: /home/skania
uid: skania
cn: Stefan Kania
userPassword:: e1NTSEF9cVk4eDVEaVhmYTZxbEw4MDBnRTlkazdtVDd2TzVocUI=
uidNumber: 10000
gidNumber: 10000
sn: Kania
givenName: Stefan
memberUid: skania
title: admin
------------
5. I set the attribute "title" for two users to "admin" and got
------------
root@ldapserver:/# ldapsearch -x -D cn=admin,dc=example,dc=net -W -LLL
'cn=dynposix'
dn: cn=dynposix,ou=groups,dc=example,dc=net
objectClass: groupOfURLs
objectClass: stkaPosixGroup
gidNumber: 5000
cn: dynposix
memberURL: ldap:///dc=example,dc=net?memberuid?sub?(title=admin)
memberUid: skania
memberUid: ktom
------------
So my users are member of the group.
5. I use the sssd as ldap-client so I changed the configuration to:
------------
[sssd]
config_file_version = 2
services = nss, pam
domains = EXAMPLE
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5
[domain/EXAMPLE]
ldap_schema=rfc2307
ldap_uri = ldap://ldapserver.example.net:389
ldap_search_base=dc=example,dc=net
ldap_default_bind_dn=uid=sssd-user,ou=users,dc=example,dc=net
ldap_default_authtok=geheim
id_provider=ldap
auth_provider=ldap
chpass_provider = ldap
ldap_chpass_uri = ldap://ldapserver.example.net:389
cache_credentials = True
ldap_tls_cacertdir = /etc/ssl/zertifikate/demoCA
ldap_tls_cacert = /etc/ssl/zertifikate/demoCA/cacert.pem
ldap_id_use_start_tls = True
ldap_group_object_class = stkaPosixGroup
enumerate = true
------------
I added the line "ldap_group_object_class = stkaPosixGroup"
I Know "enumerate = true" is not a good idea but it's still a test ;-)
Now the tests:
---------
getent group
.
.
dynposix:*:5000:
.
.
--------
The group will be listed but non of the members. So I did the following:
--------
root@ldapserver:~# ldapsearch -x -D cn=admin,dc=example,dc=net -W -LLL
'cn=dynposix'
dn: cn=dynposix,ou=groups,dc=example,dc=net
objectClass: groupOfURLs
objectClass: stkaPosixGroup
gidNumber: 5000
cn: dynposix
memberURL: ldap:///dc=example,dc=net?memberuid?sub?(title=admin)
memberUid: skania
memberUid: ktom
--------
There are two memberUid entries.
Now I did another test searching for "memberuid"
--------
root@ldapserver:~# ldapsearch -x -D cn=admin,dc=example,dc=net -W -LLL
'memberuid=*' attrs dn
dn: cn=Stefan Kania,ou=users,dc=example,dc=net
dn: cn=Kater Tom,ou=users,dc=example,dc=net
--------
As you can see, I only get the two users but not my group "dynposix"
listed.
When i do a "id ktom" I got:
--------
root@ldapserver:~# id ktom
uid=10001(ktom) gid=10000 groups=10000
--------
Also no group "dynposix"
It looks like it is not possible to search for the attribute "memberUid"
if it's assigned to a groupOfUrls.
Does anyone has an idea where did something wrong?
--
Stefan Kania
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature