Hi all,
Not having much luck adding a user to more then 1 group in OpenLDAP thats provided in Centos.
Any suggestions to have the outcome of having a user belong to multiple groups?
Should I create a new group that has multiple GIDs and assign a user to that new group? If so, how? :)
Thanks in advance.
are you adding users to local groups in /etc/group or are you creating groups in ldap?
On 2010-05-06, at 11:03 AM, aurfalien@gmail.com wrote:
Hi all,
Not having much luck adding a user to more then 1 group in OpenLDAP thats provided in Centos.
Any suggestions to have the outcome of having a user belong to multiple groups?
Should I create a new group that has multiple GIDs and assign a user to that new group? If so, how? :)
Thanks in advance. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Sorry for that.
Adding via ldap.
I've tried adding groupOfNames to the users ldif file like so;
objectClass: groupOfNames ... member: cn=staff,ou=groups,dc=foo,dc=bar member: cn=pm,ou=groups,dc=foo,dc=bar Both staff and pm are defined as follows; # staff, groups, logan.tv dn: cn=staff,ou=groups,dc=foo,dc=bar objectClass: top objectClass: posixGroup cn: staff gidNumber: 20 # pm, groups, foo.bar dn: cn=pm,ou=groups,dc=foo,dc=bar objectClass: top objectClass: posixGroup cn: pm gidNumber: 200
But every time I try to ldapmodify, I get;
ldapmodify: Object class violation (65) additional info: invalid structural object class chain (inetOrgPerson/ groupOfNames)
On May 6, 2010, at 11:05 AM, Jacob Bresciani wrote:
are you adding users to local groups in /etc/group or are you creating groups in ldap?
On 2010-05-06, at 11:03 AM, aurfalien@gmail.com wrote:
Hi all,
Not having much luck adding a user to more then 1 group in OpenLDAP thats provided in Centos.
Any suggestions to have the outcome of having a user belong to multiple groups?
Should I create a new group that has multiple GIDs and assign a user to that new group? If so, how? :)
Thanks in advance. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Thu, 6 May 2010, aurfalien@gmail.com wrote:
Hi all,
Not having much luck adding a user to more then 1 group in OpenLDAP thats provided in Centos.
Any suggestions to have the outcome of having a user belong to multiple groups?
Should I create a new group that has multiple GIDs and assign a user to that new group? If so, how? :)
Each posixGroup can have multiple memberUid entries. In our environment, a memberUid is specified by username (not numeric uid); I suspect that's normal practice, but you might want to get confirmation from others.
A user's posixAccount record has no backward mapping of group memberships; it only contains the standard gidNumber entry.
In short:
1. Define the posixGroup DN 2. Add one or more memberUid entries.
On May 6, 2010, at 11:35 AM, Paul Heinlein wrote:
On Thu, 6 May 2010, aurfalien@gmail.com wrote:
Hi all,
Not having much luck adding a user to more then 1 group in OpenLDAP thats provided in Centos.
Any suggestions to have the outcome of having a user belong to multiple groups?
Should I create a new group that has multiple GIDs and assign a user to that new group? If so, how? :)
Each posixGroup can have multiple memberUid entries. In our environment, a memberUid is specified by username (not numeric uid); I suspect that's normal practice, but you might want to get confirmation from others.
A user's posixAccount record has no backward mapping of group memberships; it only contains the standard gidNumber entry.
In short:
- Define the posixGroup DN
- Add one or more memberUid entries.
O, I think I follow.
Say my current group definition in ldap is;
# pm, groups, foo.bar dn: cn=pm,ou=groups,dc=foo,dc=bar objectClass: top objectClass: posixGroup cn: pm gidNumber: 200
So would I extend this and add members there instead of in there own entry? How would it look?
On Thu, 6 May 2010, aurfalien@gmail.com wrote:
In short:
- Define the posixGroup DN
- Add one or more memberUid entries.
O, I think I follow.
Say my current group definition in ldap is;
# pm, groups, foo.bar dn: cn=pm,ou=groups,dc=foo,dc=bar objectClass: top objectClass: posixGroup cn: pm gidNumber: 200
So would I extend this and add members there instead of in there own entry? How would it look?
memberUid: bob memberUid: chad memberUid: dave
etc...
On May 6, 2010, at 11:47 AM, Paul Heinlein wrote:
On Thu, 6 May 2010, aurfalien@gmail.com wrote:
In short:
- Define the posixGroup DN
- Add one or more memberUid entries.
So would I extend this and add members there instead of in there own entry? How would it look?
memberUid: bob memberUid: chad memberUid: dave
Wow, how elegant is that?
Very very cool, thanks much for the tips.
On Thu, May 6, 2010 at 11:33 PM, aurfalien@gmail.com wrote:
Not having much luck adding a user to more then 1 group in OpenLDAP thats provided in Centos.
Any suggestions to have the outcome of having a user belong to multiple groups?
Should I create a new group that has multiple GIDs and assign a user to that new group? If so, how? :)
A different twist from the solutions suggested so far.
Even though you may not require the SMB extensions, the smbldaptools may be worth looking into. It's toolset are similar to the regular Linux user management tools, with the backend taking care of populating the LDAP DIT and you keeping your sanity :)
I have deployed a few production LDAP setups on CentOS 5.3, where users were members of multiple groups.
HTH, -- Arun Khan
On May 6, 2010, at 12:00 PM, Arun Khan wrote:
On Thu, May 6, 2010 at 11:33 PM, aurfalien@gmail.com wrote:
Not having much luck adding a user to more then 1 group in OpenLDAP thats provided in Centos.
Any suggestions to have the outcome of having a user belong to multiple groups?
Should I create a new group that has multiple GIDs and assign a user to that new group? If so, how? :)
Even though you may not require the SMB extensions, the smbldaptools may be worth looking into. It's toolset are similar to the regular Linux user management tools, with the backend taking care of populating the LDAP DIT and you keeping your sanity :)
Thanks Arun,
But you assume too much, I have no sanity left to keep :)
On Fri, May 7, 2010 at 12:52 AM, aurfalien@gmail.com wrote:
On May 6, 2010, at 12:00 PM, Arun Khan wrote:
Even though you may not require the SMB extensions, the smbldaptools may be worth looking into. It's toolset are similar to the regular Linux user management tools, with the backend taking care of populating the LDAP DIT and you keeping your sanity :)
Thanks Arun,
But you assume too much, I have no sanity left to keep :)
I know what you mean. I was going nuts with one client (who thought he knew LDAP just because he had done a prototype setup on a Mac OS X server) because he was mucking around with the DIT (on the Mac platform). That is when I switched him to openLDAP and smbldaptools on Linux and reclaimed my sanity :)
Another tool that I forgot to mention is LDAP Account Manager (lam); there is an open source as well a commercial support version. It is web based; ideal for the CLI phobic admins. You can delegate authority to non technical staff like HR for disabling users and groups ...
Luck, -- Arun Khan
On May 6, 2010, at 10:20 PM, Arun Khan wrote:
On Fri, May 7, 2010 at 12:52 AM, aurfalien@gmail.com wrote:
On May 6, 2010, at 12:00 PM, Arun Khan wrote:
Even though you may not require the SMB extensions, the smbldaptools may be worth looking into. It's toolset are similar to the regular Linux user management tools, with the backend taking care of populating the LDAP DIT and you keeping your sanity :)
Thanks Arun,
But you assume too much, I have no sanity left to keep :)
Another tool that I forgot to mention is LDAP Account Manager (lam);
I tried that a while back, together with webmin and that php thing.
I was kinda hoping to use webmin for everything; DNS, DHCP, LDAP so that a jr sys admin could manage our intranet based services. But with LDAP, webmin doesn't seem to like adding users to groups and errors out.
So I just hand edit an ldif for now and ldapmodify.
I'll revisit the webmin error regarding adding users to groups and see whats going on.
Thanks for all the good tips.
On Sat, 2010-05-08 at 07:04 -0700, aurfalien@gmail.com wrote:
On May 6, 2010, at 10:20 PM, Arun Khan wrote:
On Fri, May 7, 2010 at 12:52 AM, aurfalien@gmail.com wrote:
On May 6, 2010, at 12:00 PM, Arun Khan wrote:
Even though you may not require the SMB extensions, the smbldaptools may be worth looking into. It's toolset are similar to the regular Linux user management tools, with the backend taking care of populating the LDAP DIT and you keeping your sanity :)
Thanks Arun,
But you assume too much, I have no sanity left to keep :)
Another tool that I forgot to mention is LDAP Account Manager (lam);
I tried that a while back, together with webmin and that php thing.
I was kinda hoping to use webmin for everything; DNS, DHCP, LDAP so that a jr sys admin could manage our intranet based services. But with LDAP, webmin doesn't seem to like adding users to groups and errors out.
So I just hand edit an ldif for now and ldapmodify.
I'll revisit the webmin error regarding adding users to groups and see whats going on.
---- I use webmin's LDAP Users and Groups to administer both users and groups - it works fine if configured properly.
Craig
On May 8, 2010, at 9:37 AM, Craig White wrote:
I tried that a while back, together with webmin and that php thing.
I was kinda hoping to use webmin for everything; DNS, DHCP, LDAP so that a jr sys admin could manage our intranet based services. But with LDAP, webmin doesn't seem to like adding users to groups and errors out.
So I just hand edit an ldif for now and ldapmodify.
I'll revisit the webmin error regarding adding users to groups and see whats going on.
I use webmin's LDAP Users and Groups to administer both users and groups
- it works fine if configured properly.
Perfect!
You mind sharing some nuggets?
First, my issue;
Using webmin, I can add users and also add them to groups and secondary group during initial creation of that user.
However if I then try to add an already created user to a secondary group, webmin fails with;
Failed to save group : Failed to modify group in LDAP database : modify/delete: description: no such attribute
I can do this using ldapmodify with an ldif file, just not via webmin.
I can add, remove users via webmin, I just can't add them to secondary groups after I've created them.
I can only add them to secondary groups during initial creation of that user.
Any help would be very very cool.
Thanks in advance Craig.
On Sat, 2010-05-08 at 09:43 -0700, aurfalien@gmail.com wrote:
On May 8, 2010, at 9:37 AM, Craig White wrote:
I tried that a while back, together with webmin and that php thing.
I was kinda hoping to use webmin for everything; DNS, DHCP, LDAP so that a jr sys admin could manage our intranet based services. But with LDAP, webmin doesn't seem to like adding users to groups and errors out.
So I just hand edit an ldif for now and ldapmodify.
I'll revisit the webmin error regarding adding users to groups and see whats going on.
I use webmin's LDAP Users and Groups to administer both users and groups
- it works fine if configured properly.
Perfect!
You mind sharing some nuggets?
First, my issue;
Using webmin, I can add users and also add them to groups and secondary group during initial creation of that user.
However if I then try to add an already created user to a secondary group, webmin fails with;
Failed to save group : Failed to modify group in LDAP database : modify/delete: description: no such attribute
I can do this using ldapmodify with an ldif file, just not via webmin.
I can add, remove users via webmin, I just can't add them to secondary groups after I've created them.
I can only add them to secondary groups during initial creation of that user.
Any help would be very very cool.
Thanks in advance Craig.
---- I only recently discovered that myself - and I noticed that only occurred when the group is not a samba group (i.e. no sambaGroupMapping ou) but I almost suspect that it's because I am not using 'objectclass top' for these entries but I never really investigated further. The only differences between the ones that I can edit and the ones I can't edit are the objectclass 'sambaGroupMapping' and 'top'
Craig
On Sat, 2010-05-08 at 10:13 -0700, Craig White wrote:
On Sat, 2010-05-08 at 09:43 -0700, aurfalien@gmail.com wrote:
On May 8, 2010, at 9:37 AM, Craig White wrote:
I tried that a while back, together with webmin and that php thing.
I was kinda hoping to use webmin for everything; DNS, DHCP, LDAP so that a jr sys admin could manage our intranet based services. But with LDAP, webmin doesn't seem to like adding users to groups and errors out.
So I just hand edit an ldif for now and ldapmodify.
I'll revisit the webmin error regarding adding users to groups and see whats going on.
I use webmin's LDAP Users and Groups to administer both users and groups
- it works fine if configured properly.
Perfect!
You mind sharing some nuggets?
First, my issue;
Using webmin, I can add users and also add them to groups and secondary group during initial creation of that user.
However if I then try to add an already created user to a secondary group, webmin fails with;
Failed to save group : Failed to modify group in LDAP database : modify/delete: description: no such attribute
I can do this using ldapmodify with an ldif file, just not via webmin.
I can add, remove users via webmin, I just can't add them to secondary groups after I've created them.
I can only add them to secondary groups during initial creation of that user.
Any help would be very very cool.
Thanks in advance Craig.
I only recently discovered that myself - and I noticed that only occurred when the group is not a samba group (i.e. no sambaGroupMapping ou) but I almost suspect that it's because I am not using 'objectclass top' for these entries but I never really investigated further. The only differences between the ones that I can edit and the ones I can't edit are the objectclass 'sambaGroupMapping' and 'top'
---- No - I just checked and the same thing still exists even if I add the 'top' objectclass to a 'non-samba' group but if it's a samba group, I have no problem adding/removing members using webmin. It would seem to be a problem with the webmin module.
Just for kicks, I've been playing with it and it seems to be working now (now that I've turned logging on so I could report to Jamie).
I did notice that it seems to help to put something (anything) in the description field.
Craig
On May 8, 2010, at 10:28 AM, Craig White wrote:
On Sat, 2010-05-08 at 10:13 -0700, Craig White wrote:
On Sat, 2010-05-08 at 09:43 -0700, aurfalien@gmail.com wrote:
On May 8, 2010, at 9:37 AM, Craig White wrote:
I tried that a while back, together with webmin and that php thing.
I was kinda hoping to use webmin for everything; DNS, DHCP, LDAP so that a jr sys admin could manage our intranet based services. But with LDAP, webmin doesn't seem to like adding users to groups and errors out.
So I just hand edit an ldif for now and ldapmodify.
I'll revisit the webmin error regarding adding users to groups and see whats going on.
I use webmin's LDAP Users and Groups to administer both users and groups
- it works fine if configured properly.
Perfect!
You mind sharing some nuggets?
First, my issue;
Using webmin, I can add users and also add them to groups and secondary group during initial creation of that user.
However if I then try to add an already created user to a secondary group, webmin fails with;
Failed to save group : Failed to modify group in LDAP database : modify/delete: description: no such attribute
I can do this using ldapmodify with an ldif file, just not via webmin.
I can add, remove users via webmin, I just can't add them to secondary groups after I've created them.
I can only add them to secondary groups during initial creation of that user.
Any help would be very very cool.
Thanks in advance Craig.
I only recently discovered that myself - and I noticed that only occurred when the group is not a samba group (i.e. no sambaGroupMapping ou) but I almost suspect that it's because I am not using 'objectclass top' for these entries but I never really investigated further. The only differences between the ones that I can edit and the ones I can't edit are the objectclass 'sambaGroupMapping' and 'top'
No - I just checked and the same thing still exists even if I add the 'top' objectclass to a 'non-samba' group but if it's a samba group, I have no problem adding/removing members using webmin. It would seem to be a problem with the webmin module.
Just for kicks, I've been playing with it and it seems to be working now (now that I've turned logging on so I could report to Jamie).
I did notice that it seems to help to put something (anything) in the description field.
Wow, thanks for the r&d Craig!
sambaGroupMapping aye?
I don't use samba and have my Windows clients auth against ldap via pGina which is an ldap client for Windows.
However even if i don't use samba for client auth, is there a way to add it in my config just so I can mod group members?
On Sat, 2010-05-08 at 10:38 -0700, aurfalien@gmail.com wrote:
On May 8, 2010, at 10:28 AM, Craig White wrote:
No - I just checked and the same thing still exists even if I add the 'top' objectclass to a 'non-samba' group but if it's a samba group, I have no problem adding/removing members using webmin. It would seem to be a problem with the webmin module.
Just for kicks, I've been playing with it and it seems to be working now (now that I've turned logging on so I could report to Jamie).
I did notice that it seems to help to put something (anything) in the description field.
Wow, thanks for the r&d Craig!
sambaGroupMapping aye?
I don't use samba and have my Windows clients auth against ldap via pGina which is an ldap client for Windows.
However even if i don't use samba for client auth, is there a way to add it in my config just so I can mod group members?
---- I wouldn't add it in if you are not using it.
I would simply try adding a 'description' to an LDAP group and then see if you can add/delete members to that group.
Craig
On May 8, 2010, at 11:12 AM, Craig White wrote:
On Sat, 2010-05-08 at 10:38 -0700, aurfalien@gmail.com wrote:
On May 8, 2010, at 10:28 AM, Craig White wrote:
I would simply try adding a 'description' to an LDAP group and then see if you can add/delete members to that group.
BRILLIANT!!!
Go Craig!
That worked.
Just something in the description field.
Wow, elegant indeed!
Thanks a lot.
On May 8, 2010, at 10:28 AM, Craig White wrote:
On Sat, 2010-05-08 at 10:13 -0700, Craig White wrote:
On Sat, 2010-05-08 at 09:43 -0700, aurfalien@gmail.com wrote:
On May 8, 2010, at 9:37 AM, Craig White wrote:
I tried that a while back, together with webmin and that php thing.
I was kinda hoping to use webmin for everything; DNS, DHCP, LDAP so that a jr sys admin could manage our intranet based services. But with LDAP, webmin doesn't seem to like adding users to groups and errors out.
So I just hand edit an ldif for now and ldapmodify.
I'll revisit the webmin error regarding adding users to groups and see whats going on.
I use webmin's LDAP Users and Groups to administer both users and groups
- it works fine if configured properly.
Perfect!
You mind sharing some nuggets?
First, my issue;
Using webmin, I can add users and also add them to groups and secondary group during initial creation of that user.
However if I then try to add an already created user to a secondary group, webmin fails with;
Failed to save group : Failed to modify group in LDAP database : modify/delete: description: no such attribute
I can do this using ldapmodify with an ldif file, just not via webmin.
I can add, remove users via webmin, I just can't add them to secondary groups after I've created them.
I can only add them to secondary groups during initial creation of that user.
Any help would be very very cool.
Thanks in advance Craig.
I only recently discovered that myself - and I noticed that only occurred when the group is not a samba group (i.e. no sambaGroupMapping ou) but I almost suspect that it's because I am not using 'objectclass top' for these entries but I never really investigated further. The only differences between the ones that I can edit and the ones I can't edit are the objectclass 'sambaGroupMapping' and 'top'
No - I just checked and the same thing still exists even if I add the 'top' objectclass to a 'non-samba' group but if it's a samba group, I have no problem adding/removing members using webmin. It would seem to be a problem with the webmin module.
Just for kicks, I've been playing with it and it seems to be working now (now that I've turned logging on so I could report to Jamie).
I did notice that it seems to help to put something (anything) in the description field.
Craig
-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Fri, 7 May 2010, Arun Khan wrote:
Even though you may not require the SMB extensions, the smbldaptools may be worth looking into. It's toolset are similar to the regular Linux user management tools, with the backend taking care of populating the LDAP DIT and you keeping your sanity :)
+1
That's what we use. Makes my life much easier...
-
Arun Khan -
aurfalien@gmail.com -
Craig White -
Jacob Bresciani -
Paul Heinlein