Server :: Define A Global Group Made Up Of Other Groups In LDAP?
Apr 13, 2011
I'm trying to create a group called Domain Users, that will include several other groups that are populated with users inside of the LDAP database. In the LDAPdatabase, for a group entry, there are memberUid entries that can be filled. When I try to use another "Group" name, it just lists that name and not the people in that group. So if group "A" has Jim, John, Sue, and I include group "A" in the memberUid of the Domain Users group, I want that to reference the people in that group, not the group name. Testing access right, having the group name listed in "Domain Users" group, does not grant user access under the group rights on a directory. Should be simple, but I don't know the syntax to use for this reference.
I am using RackMonkey to map out my lab. Unfortunately, due to RM limitations, every user who accesses the site has write access UNLESS they are logged in as a user named "guest". I currently have Apache allowing only the users (sysadmins) in an LDAP group access to RM, but I would like to allow read-only access for other users as well.I found mod_authn_anon, but I am having trouble combining the two authentication methods. I am using Apache 2.2.18 (compiled myself) on SLES 11.1.
This is the common part:
Code:
AuthType Basic AuthBasicProvider ldap anon Order allow,deny Allow from all
This part by itself works for the LDAP authentication:
Anonymous guest Anonymous_VerifyEmail Off Anonymous_MustGiveEmail Off Anonymous_LogEmail on Require valid-user
But if I have both of the previous blocks enabled at once, then guest access does not work. If I throw in a "Satisfy any", then I am not prompted for a username at all. How can I allow access to this LDAP group and to a user named "guest", but not allow all valid LDAP users to log in?
how to add users to groups with ldap? Further, could someone point me towards some good command-line management tools? Creating each dn manually is going to get old real fast...
this is really a brainstorming thread seeking advise on how to setup some samba shares within a small office network. For the quick judgers:
-no I'm not an IT expect and I'm not even the IT at the office, I just fill in this gap too. -I have looked into several samba 'by example' tutorials - none seems to fit my needs or answer some of my Qs.
So I seek advise from your experience: What do I know:
-the functionality of the setgid to have subfolders inherit the group owner of the parent folder -the fact that I don't want samba in 'share' level in order to register the owners of files -the functionality of acls that enables inheritance of rwx permissions to subfoldrs of a parent folder. - the groupmod -o option but that doesn't help apparently.
So this is a 25ppl civil engineer consulting office. The physical groups of ppl working here are: engineers, drafters (those who generate the drawings , i'm not sure if thats the correct term), and secretaries. The job usually is done in the following way, once a project commences a project folder gets generated and everything is done in there. incoming mail arrives there (secretaries put it there), engineers do they calculations on speadsheets, write reports and do draft drawings and, finally, drafters take the draft drawings and finalize them. So pretty much everyone of these 3 groups needs write access to the main project folder.
How do I accomplish that? as which group should I create the project folders? It came to mind the notion of group of groups. Now that the actual owner of the file is not so important anymore (several engineers will need to have write access to the folder) and group becomes important, it would be nice to have the ability to add... groups (instead of users) to groups! so that the permissions to a group are inherited by its children groups... Does such functionality exist of can it be implemented somehow?
How do I go about giving access to everyone and at the same time, NOT giving up on the 'user' secutiry level of samba (and NOT just giving rwx permission to 'others'? Is it possible? or Should I instead forget about individuals and match the 'physical groups' to 'linux users' and 'groups of groups' to 'linux groups'? ( This means I should give on ownership of files by individuals )? Since its a small office some work is mixed - engineers might pickup incoming email, a secretary might do abit of drafting work etcetc.
I have openldap server and i am authenticating with Redhat Directory Services(RHDS).I have confgured the RHDS for the user login giving /bin/bash as the login shell and joined the client machine using system-config-authentication.The user is able to login in connand line but below it gives the error : "cannot find name for group id <id number>"
I've installed Directory Server (LDAP). The setup has been done according to the tutorials online. Able to access the interface as well. So far so good. The issue I have is with permissions. I can assign file permissions to a user created in the Directory Server ( user not created on the local server). But the same can't be done for a group - alteast the way I currently see it. How could i assign file system rights to a group created in the directory server.
I've several servers (windows+linux) that authenticate to an LDAP server. There is one machine that I would like to allow only certain groups from LDAP server to have access and I am not sure where to start.
If that cannot be done, is it possible to disable LDAP root user to access these machines?
I want to add custom application launchers to Global Menu(AppMenu) is this possible and if yes how can I do that ?
Fore example I have an application at ~/apps/myapp/bin/myapp.sh and I want to add a launcher for it !
One more question is it possible to add Groups to Global Menu(AppMenu), as by default we have All Applications, Accessories, Universal Access .... I want to add new thing there.
P.S. It will take ages to get in touch with this new features ...
Is there a Linux system call that can be used to get the group name from the GID returned by stat()? I realize that I could parse /etc/groups (if my user had sufficient permissions).
We're trying to validate LDAP authentication from Linux against our AD global catalog servers. I'm seeing lots of LDAP query tools, but what I need is a free/open source application that can use LDAP to query AD to authenticate... something as simple as entering the hostname/IP of our AD/global catalog server and the port, then passing an AD username/password to it to validate logon capability. Anyone know of any software/apps that can do this? I don't want to get into configuring Samba for LDAP or trying to authenticate my actual Linux server again AD... I just want an application that uses LDAP for authentication.
I would like to create a bash script that creates a single group from all users in other groups.
I've been at it most of the day, and I think I'm making it too complicated. I have about 100 lines of code, and it's still now working the way I would like. I'm starting to trip over my own feet with the amount of if statements and variables.
I have Ubuntu 10.04.2 (Linux 2.6.32-33-server on x86_64) with OpenLDAP 2.4.21 and Webmin1.550. I converted my ldap database from another system with the older style schema (OpenLDAP 2.3.3 with slightly older Webmin version 1.480) and no longer use slapd.conf, but the newer slapd.d format.
It all works fine except for one thing. When I add a new user, it lets me type in the additional LDAP fields:
But when I click the Create button, all the fields get jumbled together in the Title/Position box with a diamond question mark delimiting the fields:
Modifying existing users (which have the Additional fields displaying correctly) also has the same result - it moves the fields all into the one Title/Position box with the diamond shapes with question marks inside between each entry. Is it a problem with my schema files? I tried reverting to the older shema files and slapd.conf and it still did the same thing on the new system. I am really at a loss.
Here is also the output of ldapsearch for that user (host and samba ids are sanitized):
Previously added users that show the fields properly have "description:" and then the field listed for each Additional LDAP field. Also shouldn't the "title" be visible in plain human readable text here? - it looks like it encrypted it somehow - similar to a password hash. The older system works fine and the fields are all readable and in their proper locations. But the new system just doesn't work right.
I would like to ask:How do I setup LDAP auth of users/groups on Debian 5.0?Is it using LDAP Migration tools? Can be done differently? Using different tool? Some nice tootorial?Some up to date book for LDAP or I need to dig in openldap.org?I'm learning by book which is a lil bit older so Im bit confused.
I am setting up a samba server to operate in a windows AD domain. I want to set permissions for multiple groups to have different levels of access to one group of files, and it looks to me like unix permissions will not do that? I always hear about how robust linux is, and it seems to me that their file permissions model is WEAK compared to microsoft's?
Just installed openldap server on a VM CentOS called 'ldapsrv', it works fine, ldapsearch returns all ldap information.
Installed openldap client on another VM CentOS called 'ldapclient1', configured it with most basic configuration, no ssl/tls etc. but ldapsearch returns error:
After installing VirtualBox, add yourself to the Vboxusers group in System -> Administration -> Users and Groups.Then re-boot your computer!Otherwise you will spend hours (like me) wondering why your USB devices are not available in your guest VM.I just did a complete install on a new, larger hard drive and had forgotten this simple fact. Doh!
we have a weird problem with our opensuse 11.2 server installation.
We want to set up a LDAP Server using the Yast-LDAP Server configuriation tool.
This indeed already worked weeks ago until....this week. Maybe some updates??!
I do not know what happend exactly. The server just does not want to start again and throws following error:
Starting ldap-serverstartproc: exit status of parent of /usr/lib/openldap/slapd: 1 failed
This happend after a little check of the configuration, but without a change, with Yast. Google delivered only "reinstall your box"-answers.
So.. i did that. And now the "mystical" part: The SAME ERROR occurs with a fresh vanilla system with a brand new and simple configuration (certificats, database, pw...the first Yast config dialog...). I did not change the way i set it up.
I remember, when i did this the first time with 11.2 on that machine, when no problems occured...everything was running out of the box (except the "use commen server certificate" option...).
I've been trying to set up a Linux-only network and currently have a working DHCP, DNS, LDAP and NFS server, with a client that can authenticate with the LDAP server and a central /home folder.However, if I wanted to share folders on the NFS server, how would I make the share available to, for example, a particular group of users in the directory?I've never used NIS(+) on a network, but believe you can add a 'group' of users in the /etc/exports file--simples!Does anyone know of the best way to do it (even better anyone who is doing this in a production environment)?
i have configured ldapserver on rhel4 for creating address book
following are configuration files on ldap server /etc/openldap/slapd.conf include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema
i am able to import this ldif file into database.also when i perform the ldapsearch on this server with command"ldapsearch �x �W �D �cn=manager, dc=example, dc =com� �b �dc=example, dc=com�" i get correct output.
but when i am trying to search from another client machine, i am getting "error ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)"
also when i configured address book on mozilla on server., it is working fine.but not working on another machine.is any configuration is missing on client machine.both ldap server and client are configured on rhel4es without any firewall or selinux.
I'm trying to set up a Linux server and I am new to this. I have gone through most of the configuration using SAMBA 3.0 and when I populate the ldap directory all I get this error before the password request:
Then when I perform an ldapsearch to see if the directory is populated I get this message:
I'm checking with a sniffer and there's activity going on between the client and the LDAP server... as a matter of fact, the sniffer shows that the search is producing one ldap item, however, php says it can't contact the ldap server (after it has bound and everything):
The script is working beautifully on another host with debian.
In the past I found some great help on this forum, so here goes. Bare with me because it's a long story. I'll try to be as complete as possible. I've installed and configured OpenLdap on a virtual machine with ip 192.168.39.134. I've added 2 users via LAM. In the ou WikiUsers and the domain is wiki.local.
I've then created another host with ip 192.168.39.133 with mediawiki installed on it. Then I added the extension LDAPAuthenthication. In the LdapAuthentication file I added this code (only the last paragraph is mine, I added the others to show it's location in the script):
I know I'm close because I can't register any new users or accounts on the mediawiki site. Although I could before I added the LDAP service. This is indeed all just to test and get to know how LDAP works. That's why it's all virtual in VMWare. I did not really configure anything on the LDAP, i just installed it and chose a domain (wiki.local).
I have a set of two amd64 machines with Debian Lenny. Machine 2 reads all the users' information from the Machine 1 through LDAP. Also, in Machine 2 I set up a dchroot environment for 32 bits compatibility ( following [URL]
In addition to the above instructions, on this Machine 2, I set up /etc/libnss*, /etc/ldap/*, and /etc/nsswitch.conf both for the amd64 and for the i386 environments. I have no problems if I'm in the native amd64 mode. However, once I enter the i386 dchroot, some strange things happen:
1) For users from uid=1000 to uid=1031, I get an error if running 'whoami' (Cannot find name for user ID XXXX) and if I run 'id' , I get all the correct group numbers but no translation to group names in parenthesis as it should be. 'ls -l' also only lists group numbers but no names.
2) for user 1032 I cannot even change into the dchroot, I get the error "E: Group '1,031' not found"
can anyone tell me what is the difference between these two files of LDAP client /etc/ldap.conf and /etc/ldap/ldap.conf and for what purposes these two files gives services. Is it necessary to have these two files at a time ?
I use these files to install LDAP client to authenticate with our LDAP server by creating a symbolic link of /etc/ldap.conf to /etc/ldap/ldap.conf.
I had a machine that is using ldap, but need to remove it completely.I edited the /etc/nsswitch.conf and removed all references of ldapand renamed /etc/ldap.conf to /etc/ldap.conf.bakI can log in as root, but cannot log in as any user in /etc/passwdIn the /var/log it shows pam_ldap: missing file "/etc/ldap.conf"I am guessing I am missing something else?I never set this machine up for ldap, was here when i got here, so not sure of steps to even put ldap on.
I was wondering how could I specify for how long the logs will be kept. Rsyslog doesn't have such an option (at least I didn't find it).Do I have to use logrotate for this, or is there some other option?
I already know of a work around to fix this problem, but I guess my question is why is this not working as expected? I am using a Windows Server 2008 R2 Active Directory for authentication.
I have run auth-client-config for the ldap profile and pam-auth-update. When running getent passwd, I get a list of both the local users and the users in the active directory (with populated information in the Unix schema extension). When running getent group I get a list of both the local groups and the groups in the active directory (with populated information in the Unix schema extension).
Interestingly enough, though, when I run su DOMAINUSER, after the prompt for the password I get an authentication error. In /var/log/auth.log I can see an entry with pam_ldap: missing "host" in file "/etc/ldap.conf". The SRV records in the DNS servers resolve correctly. I've checked this with nslookup and I have seen the records within my zone file. Obviously if the ldap.conf file is working with getent and the ldap server is resolving from the SRV records, it is working fine.
The interesting part is that the Windows Server 2008 R2 AD machine shows in the event viewer that there was a successful authentication, yet the Ubuntu box says no. When I add the host within the ldap.conf file, everything works...getent and the actual authentication, either initial login or su.
I am currently trying to set up a Samba domain server. In the Samba-HOWTO-Collection I found an example file.(Point 3.3.3.1) In the explanations of the example below, the author says I need to map UNIX Groups to NT Groups. He writes a shell-script of how one could do it, but when I copy it and then execute it, I get the error:
Bad option: rid=512 Bad option: rid=513 Bad option: rid=514
The other groups do get mapped, just the Domain Admins, Domain Users and Domain Guests dont. This is the shell from the HOWTO:
#!/bin/bash #### Shell-Skript f ̈r sp ̈tere Verwendung aufbewahren net groupmap modify ntgroup="Domain Admins" unixgroup=ntadmins rid=512 net groupmap modify ntgroup="Domain Users" unixgroup=users rid=513 net groupmap modify ntgroup="Domain Guests" unixgroup=nobody rid=514
