Re: Question to LDAP/RACF
Dear Robert, In the case the nsswitch.conf is correctly set, id delivers also the membership in posixGroups from LDAP. You have to add ldap next to file in the config. I did several tests and the posixGroups work well, while the dynamic groups are not supported. by pam_ldap. There is also something with I would like to see: RACF supports in either OMVS or OVM profile all the relevant posixAttributes such as uid, gid, shell, home directory. This is also not supported by pam_ldap. If this would be supported you could manage the user/groups simply from RACF while in the current situation you must maintain the LDAP part as well. For our system administrators it would be much more convenient to manage users from RACF than to handle any LDAP tools. Kind regards, Florian On Thu, Jun 7, 2012 at 2:12 AM, Robert Hart pbch...@au1.ibm.com wrote: Florian, Not too familiar with dynamic groups but I'm wondering if your expectations are correct. You seem to be expecting that a dynamic group set up in LDAP will reflect in the output of the linux id and getent commands. I don't see why that should be the case - id and getent display information from the file system and databases on the linux machine, not from the LDAP server backend. Regards, Robert Hart Australia Development Laboratory (ADL), West Perth Western Australia Internet: pbch...@au1.ibm.com Telephone: 61-8-9261-8560 Tie-line: 701-18560 Fax: 61-8-9261-8453 - Message from Florian Bilek florian.bi...@gmail.com on Mon, 21 May 2012 22:57:21 +0200 - Subject: Question to LDAP/RACF Dear all, I am trying to enable z/VM LDAP/RACF configuration to consolidate to user administration into one directory. In principle the thing works fine however I have a question regarding the right configuration: LDAP allows for dynamic groups. Those groups are based on LDAP queries and avoid the need of adding/deleting manually users to such groups. I defined a dynamic group called users that would qualify all accounts that have the attribute uid. The memberURL is as follows: dn: cn=users,dc=xxx objectclass: posixGroup objectclass: top objectclass: ibm-dynamicGroup cn: users gidnumber: 100 memberurl: ldap:///dc=xxx??one?((objectClass=person)(uid=*)) When I login now with a user I see the following: $ id uid=11002(xbilek) gid=9(usrys) groups=9(usrys) but it should look like id=11002(xbilek) gid=9(usrys) groups=100(users), 9(usrys) The getent group command shows only the name of the groups but no members: getent group users shows only: users:x:100: getent group usrys: shows only: users:x:9: Maybe the posixGroup is not the best. Is there a howto describing the parameters that need to be checked in ldap.conf? Thank you very much in advance. -- Best regards Florian Bilek -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- Best regards Florian Bilek -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: Question to LDAP/RACF
Florian, Not too familiar with dynamic groups but I'm wondering if your expectations are correct. You seem to be expecting that a dynamic group set up in LDAP will reflect in the output of the linux id and getent commands. I don't see why that should be the case - id and getent display information from the file system and databases on the linux machine, not from the LDAP server backend. Regards, Robert Hart Australia Development Laboratory (ADL), West Perth Western Australia Internet: pbch...@au1.ibm.com Telephone: 61-8-9261-8560 Tie-line: 701-18560 Fax: 61-8-9261-8453 - Message from Florian Bilek florian.bi...@gmail.com on Mon, 21 May 2012 22:57:21 +0200 - Subject: Question to LDAP/RACF Dear all, I am trying to enable z/VM LDAP/RACF configuration to consolidate to user administration into one directory. In principle the thing works fine however I have a question regarding the right configuration: LDAP allows for dynamic groups. Those groups are based on LDAP queries and avoid the need of adding/deleting manually users to such groups. I defined a dynamic group called users that would qualify all accounts that have the attribute uid. The memberURL is as follows: dn: cn=users,dc=xxx objectclass: posixGroup objectclass: top objectclass: ibm-dynamicGroup cn: users gidnumber: 100 memberurl: ldap:///dc=xxx??one?((objectClass=person)(uid=*)) When I login now with a user I see the following: $ id uid=11002(xbilek) gid=9(usrys) groups=9(usrys) but it should look like id=11002(xbilek) gid=9(usrys) groups=100(users), 9(usrys) The getent group command shows only the name of the groups but no members: getent group users shows only: users:x:100: getent group usrys: shows only: users:x:9: Maybe the posixGroup is not the best. Is there a howto describing the parameters that need to be checked in ldap.conf? Thank you very much in advance. -- Best regards Florian Bilek -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: Question to LDAP/RACF
I'm not familiar with the dynamic groups feature of LDAP but have other LDAP experience. If I had to guess, the one? portion of your memberurl attribute looks like the scope of the query. Assuming your group members are down the tree in another OU, I'd try changing that to sub? making your memberurl: memberurl: ldap:///dc=xxx??sub?((objectClass=person)(uid=*)) I typically work out my queries via the ldapsearch command. Notice the -s scope option for more on what I'm talking about. (LESS=Ipsub man ldapsearch) -- Jon Miller On Wed, Jun 6, 2012 at 8:12 PM, Robert Hart pbch...@au1.ibm.com wrote: Florian, Not too familiar with dynamic groups but I'm wondering if your expectations are correct. You seem to be expecting that a dynamic group set up in LDAP will reflect in the output of the linux id and getent commands. I don't see why that should be the case - id and getent display information from the file system and databases on the linux machine, not from the LDAP server backend. Regards, Robert Hart Australia Development Laboratory (ADL), West Perth Western Australia Internet: pbch...@au1.ibm.com Telephone: 61-8-9261-8560 Tie-line: 701-18560 Fax: 61-8-9261-8453 - Message from Florian Bilek florian.bi...@gmail.com on Mon, 21 May 2012 22:57:21 +0200 - Subject: Question to LDAP/RACF Dear all, I am trying to enable z/VM LDAP/RACF configuration to consolidate to user administration into one directory. In principle the thing works fine however I have a question regarding the right configuration: LDAP allows for dynamic groups. Those groups are based on LDAP queries and avoid the need of adding/deleting manually users to such groups. I defined a dynamic group called users that would qualify all accounts that have the attribute uid. The memberURL is as follows: dn: cn=users,dc=xxx objectclass: posixGroup objectclass: top objectclass: ibm-dynamicGroup cn: users gidnumber: 100 memberurl: ldap:///dc=xxx??one?((objectClass=person)(uid=*)) When I login now with a user I see the following: $ id uid=11002(xbilek) gid=9(usrys) groups=9(usrys) but it should look like id=11002(xbilek) gid=9(usrys) groups=100(users), 9(usrys) The getent group command shows only the name of the groups but no members: getent group users shows only: users:x:100: getent group usrys: shows only: users:x:9: Maybe the posixGroup is not the best. Is there a howto describing the parameters that need to be checked in ldap.conf? Thank you very much in advance. -- Best regards Florian Bilek -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Question to LDAP/RACF
Dear all, I am trying to enable z/VM LDAP/RACF configuration to consolidate to user administration into one directory. In principle the thing works fine however I have a question regarding the right configuration: LDAP allows for dynamic groups. Those groups are based on LDAP queries and avoid the need of adding/deleting manually users to such groups. I defined a dynamic group called users that would qualify all accounts that have the attribute uid. The memberURL is as follows: dn: cn=users,dc=xxx objectclass: posixGroup objectclass: top objectclass: ibm-dynamicGroup cn: users gidnumber: 100 memberurl: ldap:///dc=xxx??one?((objectClass=person)(uid=*)) When I login now with a user I see the following: $ id uid=11002(xbilek) gid=9(usrys) groups=9(usrys) but it should look like id=11002(xbilek) gid=9(usrys) groups=100(users), 9(usrys) The getent group command shows only the name of the groups but no members: getent group users shows only: users:x:100: getent group usrys: shows only: users:x:9: Maybe the posixGroup is not the best. Is there a howto describing the parameters that need to be checked in ldap.conf? Thank you very much in advance. -- Best regards Florian Bilek -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/