Am 02.11.2017 um 17:00 schrieb Mario Rossi: > If using own objectclass, I would think you will use custom attributes ? > > ldap_group_member = *hMemberDN* > ldap_user_member_of = *description*
This is what I did now. Let's put everything together what I did: 1. I created my own ObjectClasses ----------------- objectclass (1.3.6.1.4.1.23456.1.2.1 NAME 'stkaPosixGroup' DESC 'advanced PosixGroup for dynamic use' SUP top AUXILIARY MUST ( cn $ gidNumber ) MAY ( userPassword $ memberUid $ description ) ) objectclass (1.3.6.1.4.1.23456.1.2.2 NAME 'stkaPosixAccount' DESC 'advanced PosixAccount for dynamic use' SUP posixAccount AUXILIARY MAY ( memberUID )) ----------------- (YES I know that the ODI is not my ODI. It's just a test! Then I created a group: ---------------- dn: cn=dynposix,ou=groups,dc=example,dc=net cn: dynposix gidNumber: 5000 objectClass: groupOfURLs objectClass: stkaPosixGroup objectClass: top memberURL: ldap:///dc=example,dc=net?memberUID?sub?(title=admin) ---------------- I create every user like this one: ---------------- dn: uid=a1,ou=users,dc=example,dc=net loginShell: /bin/bash homeDirectory: /home/a1 gidNumber: 10000 uid: a1 cn: anwender 1 uidNumber: 10007 sn: 1 givenName: anwender objectClass: posixAccount objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: stkaPosixAccount memberUid: a1 title: admin ---------------- Now every user with this configuration will become member in my group "dynposix" Then I configured sssd: ---------------- [sssd] config_file_version = 2 services = nss, pam domains = LDAP [nss] filter_groups = root filter_users = root reconnection_retries = 3 [pam] reconnection_retries = 3 offline_credentials_expiration = 2 offline_failed_login_attempts = 3 offline_failed_login_delay = 5 [domain/LDAP] ldap_schema=rfc2307 ldap_uri = ldap://ldapserver.example.net:389 ldap_search_base=dc=example,dc=net ldap_default_bind_dn=uid=sssd-user,ou=users,dc=example,dc=net ldap_default_authtok=geheim id_provider=ldap auth_provider=ldap chpass_provider = ldap ldap_chpass_uri = ldap://ldapserver.example.net:389 cache_credentials = True enumerate = true ldap_tls_cacertdir = /etc/ssl/zertifikate/demoCA ldap_tls_cacert = /etc/ssl/zertifikate/demoCA/cacert.pem ldap_purge_cache_timeout = 10 ldap_enumeration_refresh_timeout = 5 ldap_group_object_class = stkaPosixGroup ---------------- Because now sssd is only looking for groups with the objectClass stkaPosixGroup I'm adding the ObjectClass to every Posixgroup. So sssd will find all groups. Now I can give my dynamic group permissions inside the filesystem and the memberlist is dynamic. The only problem I have is that it takes several minutes until the changes inside the LDAP-Database will be seen by sssd. So it take several minutes until "getent group" is showing the changes :-( Mayby someone can give me a hint where to look to get it faster. But I think it would be a good idea to be capable of changing the filter. Stefan
signature.asc
Description: OpenPGP digital signature
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org