[CentOS] ldap: adding user to multiple groups

Sat May 8 17:38:40 UTC 2010
aurfalien at gmail.com <aurfalien at gmail.com>

On May 8, 2010, at 10:28 AM, Craig White wrote:

> On Sat, 2010-05-08 at 10:13 -0700, Craig White wrote:
>> On Sat, 2010-05-08 at 09:43 -0700, aurfalien at gmail.com wrote:
>>> On May 8, 2010, at 9:37 AM, Craig White wrote:
>>>
>>>>> I tried that a while back, together with webmin and that php  
>>>>> thing.
>>>>>
>>>>> I was kinda hoping to use webmin for everything; DNS, DHCP, LDAP  
>>>>> so
>>>>> that a jr sys admin could manage our intranet based services.  But
>>>>> with LDAP, webmin doesn't seem to like adding users to groups and
>>>>> errors out.
>>>>>
>>>>> So I just hand edit an ldif for now and ldapmodify.
>>>>>
>>>>> I'll revisit the webmin error regarding adding users to groups and
>>>>> see
>>>>> whats going on.
>>>> ----
>>>> I use webmin's LDAP Users and Groups to administer both users and
>>>> groups
>>>> - it works fine if configured properly.
>>>
>>>
>>> Perfect!
>>>
>>> You mind sharing some nuggets?
>>>
>>> First, my issue;
>>>
>>> Using webmin, I can add users and also add them to groups and
>>> secondary group during initial creation of that user.
>>>
>>> However if I then try to add an already created user to a secondary
>>> group, webmin fails with;
>>>
>>> Failed to save group : Failed to modify group in LDAP database :
>>> modify/delete: description: no such attribute
>>>
>>> I can do this using ldapmodify with an ldif file, just not via  
>>> webmin.
>>>
>>> I can add, remove users via webmin, I just can't add them to  
>>> secondary
>>> groups after I've created them.
>>>
>>> I can only add them to secondary groups during initial creation of
>>> that user.
>>>
>>> Any help would be very very cool.
>>>
>>> Thanks in advance Craig.
>> ----
>> I only recently discovered that myself - and I noticed that only
>> occurred when the group is not a samba group (i.e. no  
>> sambaGroupMapping
>> ou) but I almost suspect that it's because I am not using  
>> 'objectclass
>> top' for these entries but I never really investigated further. The  
>> only
>> differences between the ones that I can edit and the ones I can't  
>> edit
>> are the objectclass 'sambaGroupMapping' and 'top'
> ----
> No - I just checked and the same thing still exists even if I add the
> 'top' objectclass to a 'non-samba' group but if it's a samba group, I
> have no problem adding/removing members using webmin. It would seem to
> be a problem with the webmin module.
>
> Just for kicks, I've been playing with it and it seems to be working  
> now
> (now that I've turned logging on so I could report to Jamie).
>
> I did notice that it seems to help to put something (anything) in the
> description field.

Wow, thanks for the r&d Craig!

sambaGroupMapping aye?

I don't use samba and have my Windows clients auth against ldap via  
pGina which is an ldap client for Windows.

However even if i don't use samba for client auth, is there a way to  
add it in my config just so I can mod group members?