Am 03.01.22 um 18:19 schrieb Quanah Gibson-Mount: > > > --On Monday, January 3, 2022 6:14 PM +0100 Michael Ströder > <mich...@stroeder.com> wrote: > >> On 1/3/22 18:03, Quanah Gibson-Mount wrote: >>> In general, "memberUID" is for use with posix groups (NOT LDAP groups). >>> But again, it's generally deficient since it cannot discern between two >>> different entries with the same UID. I.e.: >>> >>> dn: uid=joe,ou=employees,dc=example,dc=com >>> uid: joe >>> >>> dn: uid=joe,ou=students,dc=example,dc=com >>> uid: joe >> >> But slapo-unique could be used to enforce uniqueness of 'uid' attribute. > > It could, but it still doesn't fix the fact that *LDAP* groups are made > up of DNs, not random attribute:value pairs. > > --Quanah > That's why I build my own objectClass for possixAccount and PosixGroup: --------------- dn: cn=stkaPosixExtension,cn=schema,cn=config objectClass: olcSchemaConfig cn: stkaPosixExtension olcObjectClasses: ( 1.3.6.1.4.1.56860.1.2.1 NAME 'stkaPosixGroup' DESC 'advanced PosixGroup for dynamic use' SUP top AUXILIARY MUST ( cn $ gidNumber ) MAY ( userPassword $ memberUid $ description ) ) olcObjectClasses: ( 1.3.6.1.4.1.56860.1.2.2 NAME 'stkaPosixAccount' DESC 'advanced PosixAccount for dynamic use' SUP posixAccount AUXILIARY MAY ( memberUID ) )
--------------- I can see the group with "getent groups" I use sssd on the client with the following domain configuration: -------------- [domain/EXAMPLE] ldap_schema=rfc2307 ldap_uri = ldap_search_base=dc=example,dc=net id_provider=ldap auth_provider=krb5 chpass_provider = krb5 krb5_realm = EXAMPLE.NET dns_discovery_domain = EXAMPLE.NET krb5_server = ldap_sasl_mech =GSSAPI ldap_sasl_authid = sssd-user ldap_krb5_keytab = /etc/sssd/sssd-user.keytab ldap_chpass_uri = ldap://ldap01.example.net:389 cache_credentials = True ldap_tls_cacertdir = /etc/ssl/zertifikate/demoCA ldap_tls_cacert = /etc/ssl/zertifikate/demoCA/cacert.pem ldap_id_use_start_tls = True enumerate = TRUE ldap_group_object_class = PosixGroup ldap_group_object_class_alt = stkaPosixGroup -------------- The parameter "enumerate = TRUE" is for testing only I see the group with "getent group" but the strange thing is, sometimes with all members and sometimes with an empty memberlist. > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com>
smime.p7s
Description: S/MIME Cryptographic Signature