Hi, I have create 2 groups and modified the ldap.conf file in the client as below
nss_base_passwd ou=people,dc=example,dc=com?one nss_base_shadow ou=people,dc=example,dc=com?one nss_base_group ou=Group,dc=example,dc=com?one >From the client when i run getent i can see my groups and users, but when i login to a user and try id it shows me the primary group not the secondary groups i have added. I am using SLES 11 SP1. Regards, Pradyumna 2011/8/15 Dmitriy Kirhlarov <[email protected]> > please, keep a list address in the Cc. > > WNBR > > > On 08/14/2011 04:20 PM, pradyumna dash wrote: > >> Thank you so much. >> >> I will try it this week and get back to you in case of any issues. >> >> Thanks for your time. >> >> Regards, >> Pradyumna >> >> 2011/8/14 Dmitriy Kirhlarov <[email protected] <mailto:[email protected]>> >> >> >> >> >> On 08/14/2011 03:18 PM, pradyumna dash wrote: >> >> Hi, >> >> Thank you so much. I have never worked a lot on nss_ldap so >> asking some >> basic questions. >> >> As per you said you guys are running the same in your env. >> >> ldap: >> personals user groups: >> ou=groups,o=company >> first project groups: >> cn=group1,ou=project1,o=____**company >> cn=group2,ou=project1,o=____**company >> >> -- Do i need to create separate OU's for different groups? >> >> >> Up to you. >> >> You need some "separator" between projects. It can be branch in the >> tree, or scope "base" in filter configuration from nss_ldap.conf file. >> >> We are prefer branches. It's more readable, when you have many >> groups and many projects. >> >> >> second project groups: >> cn=group1,ou=project2,o=____**company >> cn=group2,ou=project2,o=____**company >> -- How i can specify the users who are a part of which group? >> >> >> cn=group1,ou=project1,o=__**company >> objectClass: posixGroup >> cn: group1 >> gidNumber: 1000 >> description: project1 admin group >> memberUid: user1 >> memberUid: user2 >> memberUid: user3 >> >> >> "Server1" nss_ldap.conf: >> nss_base_group ou=groups,o=company?sub >> nss_base_group ou=project1,o=company?one >> --The syntax in the conf file will be like above ?? Because i >> have never >> used ?sub and ?one >> >> >> It's URI >> (http://en.wikipedia.org/wiki/**__URI_scheme<http://en.wikipedia.org/wiki/__URI_scheme> >> >> <http://en.wikipedia.org/wiki/**URI_scheme<http://en.wikipedia.org/wiki/URI_scheme>>) >> syntax. >> You should to write second part of URI (after connection >> description) with base, scope and filter. >> >> >> "Server2" nss_ldap.conf: >> nss_base_group ou=groups,o=company?sub >> nss_base_group ou=project2,o=company?one >> >> Also if you can help, am trying "pwdReset" for my ldap users, in >> the >> ppolicy.schema file i have uncommented this attribute but not >> able to >> load the schema, if you can give me some pointers would be >> appreciated. >> What i want is when firsttime any user logs in he will asked >> to change >> his password. >> >> >> 1. try to start slapd with "-d config" >> 2. take a look to >> >> http://www.zytrax.com/books/__**ldap/ch6/ppolicy.html<http://www.zytrax.com/books/__ldap/ch6/ppolicy.html> >> >> <http://www.zytrax.com/books/**ldap/ch6/ppolicy.html<http://www.zytrax.com/books/ldap/ch6/ppolicy.html> >> > >> >> WBR >> >> >> Regards, >> Neo >> >> I am not a expert in OpenLDAP so please help me. >> 2011/8/14 Dmitriy Kirhlarov <[email protected] >> <mailto:[email protected]> <mailto:[email protected] >> >> <mailto:[email protected]>>> >> >> >> Hi. >> >> >> On 08/12/2011 07:40 PM, Buchan Milne wrote: >> >> On Wednesday, 10 August 2011 10:11:17 pradyumna dash wrote: >> >> Guys, >> >> I have a query, lets take a scenario : >> >> Assume we have 2 servers "Server1" and "Server2" and 2 >> groups "Admin" and >> "ITTech", What is needed is like say when a user "bob" logging >> in to "Server1" he will get the group "Admin", but >> when he >> logs in to >> "Server2" he will get group "ITTech". Also it may vary for >> different users >> like when "Kris" logs in to Server1 he may get a group >> called "ITTech" and >> when he logs in to "Server2" he will get some other >> group >> say "Security". >> Can it be possible by OpenLDAP ? >> >> >> IMHO, this is a bad idea. It will specifically be >> problematic if >> you have any >> files shared/replicated/backed up between servers (e.g. >> via NFS). >> >> >> We are using this functionality without any problems. :) >> This is feature of nss_ldap. >> >> ldap: >> personals user groups: >> ou=groups,o=company >> >> first project groups: >> cn=group1,ou=project1,o=____**company >> cn=group2,ou=project1,o=____**company >> >> second project groups: >> cn=group1,ou=project2,o=____**company >> cn=group2,ou=project2,o=____**company >> >> "Server1" nss_ldap.conf: >> nss_base_group ou=groups,o=company?sub >> nss_base_group ou=project1,o=company?one >> >> "Server2" nss_ldap.conf: >> nss_base_group ou=groups,o=company?sub >> nss_base_group ou=project2,o=company?one >> >> >> WBR >> >> >> If this is achieved then we are planning >> to have SUDO files based on the grooups. >> >> >> It would be much more effective to have your sudo rules >> in LDAP, >> and apply a >> rule to a set of users/groups to a collection/netgroup >> of hosts. >> >> Regards, >> Buchan >> >> >> >> >>
