[prev in list] [next in list] [prev in thread] [next in thread]
List: pamldap
Subject: RE: [pamldap] multiple gidnumbers
From: "Jennifer L. Hamilton" <jhamilto () n2h2 ! com>
Date: 2001-08-24 19:57:48
[Download RAW message or body]
Ok, I now have two groups, cvs-snoc and cvs-ops.
cvs-snoc and jhamilto are members of cvs-ops
user2 (memberuid 1186) is a member of cvs-snoc.
Here are the ldif's as they look now:
dn: cn=cvs-ops,ou=CVS Groups,o=n2h2.com
cn: cvs-ops
uniquemember: cn=cvs-snoc,ou=CVS Groups,o=n2h2.com
uniquemember: uid=jhamilto,ou=people,o=n2h2.com
gidnumber: 2001
objectclass: posixgroup
objectclass: groupOfUniqueNames
dn: cn=cvs-snoc,ou=CVS Groups,o=n2h2.com
objectclass: top
objectclass: groupofuniquenames
objectclass: posixgroup
cn: cvs-snoc
gidnumber: 3001
memberuid: 1186 <-- This is another user's uidnumber
Now that I have the ldif's set up (correctly, I
hope), what configs do I need on the client side?
Here is my /etc/ldap_pam.conf file:
# Your LDAP server.
host ldap.n2h2.com
# The distinguished name of the search base.
base ou=people,o=n2h2.com
# Use the V3 protocol to optimize searches
ldap_version 3
# NOTE: If you use these, be sure to chmod 600 this file
# for security reasons
#
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=manager,dc=example,dc=net
#
# The credentials to bind with.
# Optional: default is no credential.
#bindpw secret
# Filter to AND with uid=%s
#pam_filter objectclass=account
pam_filter objectclass=posixaccount
# The user ID attribute (defaults to uid)
pam_login_attribute uid
# Search the root DSE for the password policy (works
# with Netscape Directory Server)
#pam_lookup_policy yes
# Group to enforce membership of
# Group member attribute
#pam_member_attribute uniquememberuid
# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service.
pam_crypt local
Thanks for your help!
Jen
On Fri, 24 Aug 2001, Justin Hahn wrote:
> Here's the thing, gidnumber is the user's primary group, just like in
> /etc/passwd - this means you can only have one.
>
>
> If you want supplementary groups, like /etc/group, then import the groups to
> LDAP and use one of the following examples:
>
> dn: cn=cvs-ops,ou=groups,o=n2h2.com
> objectclass: posixgroup
> gidNumber: 3002
> memberUid: 1315
> memberUid: <uid of another member>
>
> OR
>
> dn: cn=cvs-ops,ou=groups,o=n2h2.com
> objectClass: posixGroup
> objectClass: groupOfUniqueNames
> uniqueMember: uid=jhamilto,ou=people,o=n2h2.com
> uniqueMember: uid=someone,ou=people,o=n2h2.com
>
> And so forth.
>
> That will do what you want.
>
> NOTE: I may be missing a few attributes and objectClasses from my group
> specs. For example, my groups look like this (I use the second method):
>
> dn: cn=blah,ou=group,o=profitlogic
> objectClass: posixGroup
> objectClass: groupofUniqueNames
> cn: blah
> gidNumber: 5001
> uniqueMember: uid=person0,ou=people,o=profitlogic
> uniqueMember: uid=person1,ou=people,o=profitlogic
> uniqueMember: uid=person2,ou=people,o=profitlogic
> uniqueMember: uid=person3,ou=people,o=profitlogic
> uniqueMember: uid=person4,ou=people,o=profitlogic
> uniqueMember: uid=person5,ou=people,o=profitlogic
>
>
>
> > -----Original Message-----
> > From: Jennifer Hamilton [mailto:jhamilto@n2h2.com]
> > Sent: Friday, August 24, 2001 12:15 PM
> > To: pamldap@padl.com
> > Subject: [pamldap] multiple gidnumbers
> >
> >
> > How do I map multiple gidnumber attributes to a client's /etc/groups
> > file?
> >
> > For example:
> > LDIF:
> > dn: uid=jhamilto,ou=people,o=n2h2.com
> > uidnumber: 1315
> > uid: jhamilto
> > gidnumber: 10
> > gidnumber: 3002
> >
> > I set up two gidnumbers. The first one maps to the /etc/group file on
> > the client just fine. What I want to do is to be able to map
> > the second
> > one (and multiples after that).
> >
> > jhamilto@cvstest:/tmp$ cat /etc/group
> > uucp::10 # This one maps
> > cvs-ops::3002: # This one doesn't
> >
> > jhamilto@cvstest:/tmp$ groups
> > uucp
> >
> > I have pam_ldap-43-2, Debian 2.2, iplanet ldap
> >
> >
> > Thanks!
> >
> > Jen Hamilton
> >
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic