On Thu, Nov 02, 2017 at 07:06:59PM +0100, Stefan Kania wrote: > Am 02.11.2017 um 17:00 schrieb Mario Rossi: > > If using own objectclass, I would think you will use custom attributes ? > > > > ldap_group_member = *hMemberDN* > > ldap_user_member_of = *description* > > This is what I did now. Let's put everything together what I did: > > 1. I created my own ObjectClasses > ----------------- > objectclass (1.3.6.1.4.1.23456.1.2.1 NAME 'stkaPosixGroup' > DESC 'advanced PosixGroup for dynamic use' > SUP top AUXILIARY > MUST ( cn $ gidNumber ) > MAY ( userPassword $ memberUid $ description ) ) > > objectclass (1.3.6.1.4.1.23456.1.2.2 NAME 'stkaPosixAccount' > DESC 'advanced PosixAccount for dynamic use' > SUP posixAccount AUXILIARY > MAY ( memberUID )) > ----------------- > (YES I know that the ODI is not my ODI. It's just a test! > > Then I created a group: > ---------------- > dn: cn=dynposix,ou=groups,dc=example,dc=net > cn: dynposix > gidNumber: 5000 > objectClass: groupOfURLs > objectClass: stkaPosixGroup > objectClass: top > memberURL: ldap:///dc=example,dc=net?memberUID?sub?(title=admin) > ---------------- > > I create every user like this one: > ---------------- > dn: uid=a1,ou=users,dc=example,dc=net > loginShell: /bin/bash > homeDirectory: /home/a1 > gidNumber: 10000 > uid: a1 > cn: anwender 1 > uidNumber: 10007 > sn: 1 > givenName: anwender > objectClass: posixAccount > objectClass: inetOrgPerson > objectClass: organizationalPerson > objectClass: person > objectClass: stkaPosixAccount > memberUid: a1 > title: admin > ---------------- > > Now every user with this configuration will become member in my group > "dynposix" > > Then I configured sssd: > ---------------- > [sssd] > config_file_version = 2 > services = nss, pam > domains = LDAP > > [nss] > filter_groups = root > filter_users = root > reconnection_retries = 3 > > [pam] > reconnection_retries = 3 > offline_credentials_expiration = 2 > offline_failed_login_attempts = 3 > offline_failed_login_delay = 5 > > [domain/LDAP] > ldap_schema=rfc2307 > ldap_uri = ldap://ldapserver.example.net:389 > ldap_search_base=dc=example,dc=net > ldap_default_bind_dn=uid=sssd-user,ou=users,dc=example,dc=net > ldap_default_authtok=geheim > id_provider=ldap > auth_provider=ldap > chpass_provider = ldap > ldap_chpass_uri = ldap://ldapserver.example.net:389 > cache_credentials = True > enumerate = true > ldap_tls_cacertdir = /etc/ssl/zertifikate/demoCA > ldap_tls_cacert = /etc/ssl/zertifikate/demoCA/cacert.pem > ldap_purge_cache_timeout = 10 > ldap_enumeration_refresh_timeout = 5 > ldap_group_object_class = stkaPosixGroup > ---------------- > > Because now sssd is only looking for groups with the objectClass > stkaPosixGroup I'm adding the ObjectClass to every Posixgroup. > So sssd will find all groups. > > Now I can give my dynamic group permissions inside the filesystem and > the memberlist is dynamic. > > The only problem I have is that it takes several minutes until the > changes inside the LDAP-Database will be seen by sssd. So it take > several minutes until "getent group" is showing the changes :-( > > Mayby someone can give me a hint where to look to get it faster. > > > But I think it would be a good idea to be capable of changing the filter. > Stefan
I think there were some threads earlier about specifying a list of objectclasses in the "ldap_group_object_class" but as you found this is not implemented yet. Feel free to file a ticket. In the meantime, there is a bit undocumented (and I think on purpose, because I guess specifying the list of classes would be a more systematic solution) option ldap_group_object_class_alt which lets you select an alternative objectclass and sssd would then look for either. I think this was added where we found some inconsistencies between what objectclasses different IPA releases use some time ago and we had to implement some fix soon :-) _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org