'RE: [pamldap] multiple gidnumbers'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pamldap
Subject:    RE: [pamldap] multiple gidnumbers
From:       "Jennifer L. Hamilton" <jhamilto () n2h2 ! com>
Date:       2001-08-24 19:57:48
[Download RAW message or body]


Ok, I now have two groups, cvs-snoc and cvs-ops.
cvs-snoc and jhamilto are members of cvs-ops
user2 (memberuid 1186) is a member of cvs-snoc.

Here are the ldif's as they look now:

dn: cn=cvs-ops,ou=CVS Groups,o=n2h2.com
cn: cvs-ops
uniquemember: cn=cvs-snoc,ou=CVS Groups,o=n2h2.com
uniquemember: uid=jhamilto,ou=people,o=n2h2.com
gidnumber: 2001
objectclass: posixgroup
objectclass: groupOfUniqueNames

dn: cn=cvs-snoc,ou=CVS Groups,o=n2h2.com
objectclass: top
objectclass: groupofuniquenames
objectclass: posixgroup
cn: cvs-snoc
gidnumber: 3001
memberuid: 1186 <-- This is another user's uidnumber


Now that I have the ldif's set up (correctly, I
hope), what configs do I need on the client side?

Here is my /etc/ldap_pam.conf file:
# Your LDAP server.
host ldap.n2h2.com

# The distinguished name of the search base.
base ou=people,o=n2h2.com

# Use the V3 protocol to optimize searches
ldap_version 3

# NOTE: If you use these, be sure to chmod 600 this file
# for security reasons
#
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=manager,dc=example,dc=net
#
# The credentials to bind with.
# Optional: default is no credential.
#bindpw secret
# Filter to AND with uid=%s
#pam_filter objectclass=account
pam_filter objectclass=posixaccount

# The user ID attribute (defaults to uid)
pam_login_attribute uid

# Search the root DSE for the password policy (works
# with Netscape Directory Server)
#pam_lookup_policy yes

# Group to enforce membership of

# Group member attribute
#pam_member_attribute uniquememberuid

# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service.
pam_crypt local


Thanks for your help!

Jen

On Fri, 24 Aug 2001, Justin Hahn wrote:

> Here's the thing, gidnumber is the user's primary group, just like in
> /etc/passwd - this means you can only have one.
> 
> 
> If you want supplementary groups, like /etc/group, then import the groups to
> LDAP and use one of the following examples:
> 
> dn: cn=cvs-ops,ou=groups,o=n2h2.com
> objectclass: posixgroup
> gidNumber: 3002
> memberUid: 1315
> memberUid: <uid of another member>
> 
> OR
> 
> dn: cn=cvs-ops,ou=groups,o=n2h2.com
> objectClass: posixGroup
> objectClass: groupOfUniqueNames
> uniqueMember: uid=jhamilto,ou=people,o=n2h2.com
> uniqueMember: uid=someone,ou=people,o=n2h2.com
> 
> And so forth.
> 
> That will do what you want.
> 
> NOTE: I may be missing a few attributes and objectClasses from my group
> specs. For example, my groups look like this (I use the second method):
> 
> dn: cn=blah,ou=group,o=profitlogic
> objectClass: posixGroup
> objectClass: groupofUniqueNames
> cn: blah
> gidNumber: 5001
> uniqueMember: uid=person0,ou=people,o=profitlogic
> uniqueMember: uid=person1,ou=people,o=profitlogic
> uniqueMember: uid=person2,ou=people,o=profitlogic
> uniqueMember: uid=person3,ou=people,o=profitlogic
> uniqueMember: uid=person4,ou=people,o=profitlogic
> uniqueMember: uid=person5,ou=people,o=profitlogic
> 
> 
> 
> > -----Original Message-----
> > From: Jennifer Hamilton [mailto:jhamilto@n2h2.com]
> > Sent: Friday, August 24, 2001 12:15 PM
> > To: pamldap@padl.com
> > Subject: [pamldap] multiple gidnumbers
> > 
> > 
> > How do I map multiple gidnumber attributes to a client's /etc/groups
> > file?
> > 
> > For example:
> > LDIF:
> > dn: uid=jhamilto,ou=people,o=n2h2.com
> > uidnumber: 1315
> > uid: jhamilto
> > gidnumber: 10
> > gidnumber: 3002
> > 
> > I set up two gidnumbers. The first one maps to the /etc/group file on
> > the client just fine. What I want to do is to be able to map 
> > the second
> > one (and multiples after that). 
> > 
> > jhamilto@cvstest:/tmp$ cat /etc/group
> > uucp::10	# This one maps
> > cvs-ops::3002:	# This one doesn't
> > 
> > jhamilto@cvstest:/tmp$ groups
> > uucp
> > 
> > I have pam_ldap-43-2, Debian 2.2, iplanet ldap
> > 
> > 
> > Thanks!
> > 
> > Jen Hamilton
> > 
> 

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic