The gidNumber attribute is just the primary group.  You won't see any
supplementary groups there, just like /etc/passwd.  Use memberOf with
the group's DN or something for supplimentary groups.

If you want to see what the data looks like in the directory, just use
ldapsearch - this is all standard LDAP stuff, you just need to
understand the schemas that are used.

On 22/05/17 23:19, Sebastian Kösters wrote:
> Hi all!
>
> i have a question about the use of LDAP with .htaccess in freeIPA.
>
> i am using freeIPA (V. 4.4.0-14 with CentOS 7). I now wanted to also use
> .htaccess with LDAP.
>
> My first try was this:
>
> ---
>
> Order allow,deny
> Allow from all
> AuthName "test"
> AuthType Basic
> AuthBasicProvider ldap
> AuthLDAPURL "ldaps://ipa01.hostname.de:636
> ipa02.hostname.de:636/cn=users,cn=accounts,dc=domain,dc=de?uid"
> Require valid-user
>
> ---
>
> This works perfectly fine for users i created in the freeIPA Webinterface.
>
> I now have to make some changes. Some Users should be able to login on
> the Website that uses the .htaccess and some should not be able to login.
>
> So i decided to create a group and add all users, which should be allowd
> to login via .htaccess.
>
> So my first try was this:
>
> ---
>
> [...]
> Require ldap-attribute gidNumber=101010
> [...]
>
> ---
>
> 101010 is the gid of my newly created group (webtest). That did not
> work. If i use the gid of the "main" group of the users, its working
> fine (the user is definitely part of the new group).
>
> I also tried several other ways if found with the help of google, to
> only allow users which are member of the group to have access, but every
> attempt failed.
>
> Maybe one of you guys is able to help me?!
>
> Thank you and best regards
> Sebastian
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to