Am 02.11.2017 um 17:00 schrieb Mario Rossi: > If using own objectclass, I would think you will use custom attributes ? > > ldap_group_member = *hMemberDN* > ldap_user_member_of = *description*
This is what I did now. Let's put everything together what I did:
1. I created my own ObjectClasses
-----------------
objectclass (1.3.6.1.4.1.23456.1.2.1 NAME 'stkaPosixGroup'
DESC 'advanced PosixGroup for dynamic use'
SUP top AUXILIARY
MUST ( cn $ gidNumber )
MAY ( userPassword $ memberUid $ description ) )
objectclass (1.3.6.1.4.1.23456.1.2.2 NAME 'stkaPosixAccount'
DESC 'advanced PosixAccount for dynamic use'
SUP posixAccount AUXILIARY
MAY ( memberUID ))
-----------------
(YES I know that the ODI is not my ODI. It's just a test!
Then I created a group:
----------------
dn: cn=dynposix,ou=groups,dc=example,dc=net
cn: dynposix
gidNumber: 5000
objectClass: groupOfURLs
objectClass: stkaPosixGroup
objectClass: top
memberURL: ldap:///dc=example,dc=net?memberUID?sub?(title=admin)
----------------
I create every user like this one:
----------------
dn: uid=a1,ou=users,dc=example,dc=net
loginShell: /bin/bash
homeDirectory: /home/a1
gidNumber: 10000
uid: a1
cn: anwender 1
uidNumber: 10007
sn: 1
givenName: anwender
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: stkaPosixAccount
memberUid: a1
title: admin
----------------
Now every user with this configuration will become member in my group
"dynposix"
Then I configured sssd:
----------------
[sssd]
config_file_version = 2
services = nss, pam
domains = LDAP
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5
[domain/LDAP]
ldap_schema=rfc2307
ldap_uri = ldap://ldapserver.example.net:389
ldap_search_base=dc=example,dc=net
ldap_default_bind_dn=uid=sssd-user,ou=users,dc=example,dc=net
ldap_default_authtok=geheim
id_provider=ldap
auth_provider=ldap
chpass_provider = ldap
ldap_chpass_uri = ldap://ldapserver.example.net:389
cache_credentials = True
enumerate = true
ldap_tls_cacertdir = /etc/ssl/zertifikate/demoCA
ldap_tls_cacert = /etc/ssl/zertifikate/demoCA/cacert.pem
ldap_purge_cache_timeout = 10
ldap_enumeration_refresh_timeout = 5
ldap_group_object_class = stkaPosixGroup
----------------
Because now sssd is only looking for groups with the objectClass
stkaPosixGroup I'm adding the ObjectClass to every Posixgroup.
So sssd will find all groups.
Now I can give my dynamic group permissions inside the filesystem and
the memberlist is dynamic.
The only problem I have is that it takes several minutes until the
changes inside the LDAP-Database will be seen by sssd. So it take
several minutes until "getent group" is showing the changes :-(
Mayby someone can give me a hint where to look to get it faster.
But I think it would be a good idea to be capable of changing the filter.
Stefan
signature.asc
Description: OpenPGP digital signature
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
