问题
I have problem with OpenLdap and permission to file.
First - I set this in my slapd.conf:
overlay dynlist
dynlist-attrset labeledURIObject labeledURI
Second - I make cn=test,ou=Projects,dc=example,dc=com with:
dn: cn=test,ou=Projects,dc=example,dc=com
gidNumber: 6789
objectClass: posixGroup
objectClass: top
objectClass: labeledURIObject
labeledURI: ldap:///cn=testgroup,ou=Groups,dc=example,dc=com?memberUid?sub?
(objectClass=posixGroup)
memberUid: user1 (dynamic)
memberUid: user2 (dynamic)
in cn=testgroup,ou=Groups,dc=example,dc=com i have memberuid: user1 and memberUid: user2
Third - when i made getent group test I have:
test:*:6789:user1,user2
But when I try id user1 i didn't see this group :(
And next I set chmod 770 dir and chown root.test dir and try access to this dir.
But of course it is not possible because the user is not in this group (that said "id").
Does anyone know the solution?
回答1:
Third - when i made getent group test I have:
test:*:6789:user1,user2
But when i try id user1 i didn't see this group :(
Unfortunately dynamic lists (dynlists) are ONE WAY groups (not TWO way). This means that reverse lookups won't work, which causes the very issue you are now facing. There is no way to make reverse posix group lookups work with dynlist.
HOWEVER, there is another module available somewhere on OpenLDAP's site I believe. It is called autogroup. This is a static-group maintainer module. This method of grouping does not involved dynamic data, rather it is REAL data that is automagically managed by the autogroup module. However, it is configured similar to a dynlist group as it uses the labeledURI attribute to allow a "stored procedure" so to speak.
I too was disappointed when I realized the shortcomings of dynlist, and I should point out that autogroup is still somewhat experimental. Test thoroughly and report any bugs to OpenLDAP.
I hope this helps...
Max
回答2:
Groups are constructed here in this way without memberUid, but member:
dn: cn=mygroup,ou=groups,o=company
objectClass: posixGroup
objectClass: top
objectClass: groupOfNames
cn: mygroup
member: uid=user1,ou=users,o=company
displayName: mygroup
gidNumber: 1234
The schema type is also to be set to RFC2307bis (ldap_schema = rfc2307bis in sssd.conf).
回答3:
For the 3rd issue, the problem is that id will use a ldap request with (member=uid=login,... ) while getent group will search for the group ( cn=groupname ). So the 2nd one trigger the overlay , while the first don't ( see the man page ). I also faced the issue, and found some links about it : http://www.openldap.org/lists/openldap-software/200708/msg00250.html and http://www.openldap.org/lists/openldap-devel/200708/msg00127.html.
So far, I didn't found any good solution, maybe changing nss_ldap would work ( if you use it, which you didn't explained )
来源:https://stackoverflow.com/questions/4603570/openldap-dynlist-posixgroup