HI, Please find the contents as below.
dn: cn=pradyumna,ou=People,dc=example,dc=com objectClass: person objectClass: inetOrgPerson objectClass: posixAccount cn: pradyumna uid: pradyumna sn: dash structuralObjectClass: inetOrgPerson entryUUID: c479788c-5b6d-1030-9d75-19f66ff1c84f creatorsName: cn=manager,dc=example,dc=com createTimestamp: 20110815093616Z uidNumber: 507 gidNumber: 100 homeDirectory: /home/pradyumna loginShell: /bin/bash userPassword:: e1NTSEF9Q1lrZTVOQTM5ZUppSVlzL1YwbnR2a0pGemQ1ekVxbWQ= entryCSN: 20110815130355.986136Z#000000#000#000000 modifiersName: cn=Manager,dc=example,dc=com modifyTimestamp: 20110815130355Z dn: cn=m3,ou=Group,dc=example,dc=com objectClass: posixGroup objectClass: groupOfNames gidNumber: 100 cn: m3 structuralObjectClass: groupOfNames entryUUID: 15582474-5b73-1030-9d76-19f66ff1c84f creatorsName: cn=manager,dc=example,dc=com createTimestamp: 20110815101419Z memberUid: pradyumna member: cn=test,ou=People,dc=example,dc=com entryCSN: 20110815130141.119665Z#000000#000#000000 modifiersName: cn=manager,dc=example,dc=com modifyTimestamp: 20110815130141Z I think this is what you asked for. Regards, Neo On Mon, Aug 15, 2011 at 6:36 PM, Dmitriy Kirhlarov <[email protected]> wrote: > 15.08.2011 17:24, pradyumna dash пишет: > > Hi, >> >> I have create 2 groups and modified the ldap.conf file in the client as >> below >> >> nss_base_passwd ou=people,dc=example,dc=com?**one >> nss_base_shadow ou=people,dc=example,dc=com?**one >> nss_base_group ou=Group,dc=example,dc=com?one >> >> From the client when i run getent i can see my groups and users, but >> when i login to a user and try id it shows me the primary group not the >> secondary groups i have added. >> > > Could you, please, show DN of primary and secondary groups and body of this > objects (object classes and attributes). > > WBR > > >> I am using SLES 11 SP1. >> >> Regards, >> Pradyumna >> >> 2011/8/15 Dmitriy Kirhlarov <[email protected] <mailto:[email protected]>> >> >> >> please, keep a list address in the Cc. >> >> WNBR >> >> >> On 08/14/2011 04:20 PM, pradyumna dash wrote: >> >> Thank you so much. >> >> I will try it this week and get back to you in case of any issues. >> >> Thanks for your time. >> >> Regards, >> Pradyumna >> >> 2011/8/14 Dmitriy Kirhlarov <[email protected] >> <mailto:[email protected]> <mailto:[email protected] >> <mailto:[email protected]>>> >> >> >> >> >> On 08/14/2011 03:18 PM, pradyumna dash wrote: >> >> Hi, >> >> Thank you so much. I have never worked a lot on nss_ldap >> so >> asking some >> basic questions. >> >> As per you said you guys are running the same in your env. >> >> ldap: >> personals user groups: >> ou=groups,o=company >> first project groups: >> cn=group1,ou=project1,o=______**company >> cn=group2,ou=project1,o=______**company >> >> -- Do i need to create separate OU's for different groups? >> >> >> Up to you. >> >> You need some "separator" between projects. It can be branch >> in the >> tree, or scope "base" in filter configuration from >> nss_ldap.conf file. >> >> We are prefer branches. It's more readable, when you have many >> groups and many projects. >> >> >> second project groups: >> cn=group1,ou=project2,o=______**company >> cn=group2,ou=project2,o=______**company >> -- How i can specify the users who are a part of which >> group? >> >> >> cn=group1,ou=project1,o=____**company >> objectClass: posixGroup >> cn: group1 >> gidNumber: 1000 >> description: project1 admin group >> memberUid: user1 >> memberUid: user2 >> memberUid: user3 >> >> >> "Server1" nss_ldap.conf: >> nss_base_group ou=groups,o=company?sub >> nss_base_group ou=project1,o=company?one >> --The syntax in the conf file will be like above ?? >> Because i >> have never >> used ?sub and ?one >> >> >> It's URI >> (http://en.wikipedia.org/wiki/**____URI_scheme<http://en.wikipedia.org/wiki/____URI_scheme> >> >> <http://en.wikipedia.org/wiki/**__URI_scheme<http://en.wikipedia.org/wiki/__URI_scheme> >> > >> >> <http://en.wikipedia.org/wiki/**__URI_scheme<http://en.wikipedia.org/wiki/__URI_scheme> >> >> <http://en.wikipedia.org/wiki/**URI_scheme<http://en.wikipedia.org/wiki/URI_scheme>>>) >> syntax. >> You should to write second part of URI (after connection >> description) with base, scope and filter. >> >> >> "Server2" nss_ldap.conf: >> nss_base_group ou=groups,o=company?sub >> nss_base_group ou=project2,o=company?one >> >> Also if you can help, am trying "pwdReset" for my ldap >> users, in the >> ppolicy.schema file i have uncommented this attribute >> but not >> able to >> load the schema, if you can give me some pointers would be >> appreciated. >> What i want is when firsttime any user logs in he will >> asked >> to change >> his password. >> >> >> 1. try to start slapd with "-d config" >> 2. take a look to >> >> http://www.zytrax.com/books/__**__ldap/ch6/ppolicy.html<http://www.zytrax.com/books/____ldap/ch6/ppolicy.html> >> >> <http://www.zytrax.com/books/_**_ldap/ch6/ppolicy.html<http://www.zytrax.com/books/__ldap/ch6/ppolicy.html> >> > >> >> <http://www.zytrax.com/books/_**_ldap/ch6/ppolicy.html<http://www.zytrax.com/books/__ldap/ch6/ppolicy.html> >> >> <http://www.zytrax.com/books/**ldap/ch6/ppolicy.html<http://www.zytrax.com/books/ldap/ch6/ppolicy.html> >> >> >> >> WBR >> >> >> Regards, >> Neo >> >> I am not a expert in OpenLDAP so please help me. >> 2011/8/14 Dmitriy Kirhlarov <[email protected] >> <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>> >> <mailto:[email protected] <mailto:[email protected]> >> >> <mailto:[email protected] <mailto:[email protected]>>>> >> >> >> >> Hi. >> >> >> On 08/12/2011 07:40 PM, Buchan Milne wrote: >> >> On Wednesday, 10 August 2011 10:11:17 pradyumna >> dash wrote: >> >> Guys, >> >> I have a query, lets take a scenario : >> >> Assume we have 2 servers "Server1" and >> "Server2" and 2 >> groups "Admin" and >> "ITTech", What is needed is like say when a user "bob" logging >> in to "Server1" he will get the group >> "Admin", but >> when he >> logs in to >> "Server2" he will get group "ITTech". Also it may vary for >> different users >> like when "Kris" logs in to Server1 he may >> get a group >> called "ITTech" and >> when he logs in to "Server2" he will get >> some other >> group >> say "Security". >> Can it be possible by OpenLDAP ? >> >> >> IMHO, this is a bad idea. It will specifically be >> problematic if >> you have any >> files shared/replicated/backed up between >> servers (e.g. >> via NFS). >> >> >> We are using this functionality without any problems. >> :) >> This is feature of nss_ldap. >> >> ldap: >> personals user groups: >> ou=groups,o=company >> >> first project groups: >> cn=group1,ou=project1,o=______**company >> cn=group2,ou=project1,o=______**company >> >> second project groups: >> cn=group1,ou=project2,o=______**company >> cn=group2,ou=project2,o=______**company >> >> "Server1" nss_ldap.conf: >> nss_base_group ou=groups,o=company?sub >> nss_base_group ou=project1,o=company?one >> >> "Server2" nss_ldap.conf: >> nss_base_group ou=groups,o=company?sub >> nss_base_group ou=project2,o=company?one >> >> >> WBR >> >> >> If this is achieved then we are planning >> to have SUDO files based on the grooups. >> >> >> It would be much more effective to have your >> sudo rules >> in LDAP, >> and apply a >> rule to a set of users/groups to a >> collection/netgroup >> of hosts. >> >> Regards, >> Buchan >> >> >> >> >> >>
