Openldap + dynlist + posixGroup [英] Openldap + dynlist + posixGroup
问题描述
我有OpenLdap的问题和文件的权限。
首先 - 我将其设置在我的slapd.conf中:
overlay dynlist
dynlist-attrset labeledURIObject labeledURI
第二 - 我做cn = test,ou = Projects,dc = example,dc = com with:
dn: cn = test,ou = Projects,dc = example,dc = com
gidNumber:6789
objectClass:posixGroup
objectClass:top
objectClass:labeledURIObject
labeledURI:ldap :/// cn = testgroup,ou = Groups,dc = example,dc = com?memberUid?sub?
(objectClass = posixGroup)
memberUid:user1(动态)
memberUid:user2(动态)
在 cn = testgroup,ou = Groups,dc = example,dc = com 我有memberuid:user1和memberUid:user2
第三 - 当我做了getent组测试,我有:
test:*: 6789:user1,user2
但是当我尝试id user1我没有看到这个组:(
然后我设置 chmod 770 dir 和 chown root.test dir 并尝试访问此目录。
但是当然这是不可能的,因为用户不在这个组(即所谓的id)。 p>
有人知道解决方案吗?
第三 - 当我进行getent组测试时,我有:
test:*:6789:user1,user2
但是当我尝试id user1时,我没有看到这个组:(
不幸的动态列表( dynlists )是ONE WAY组(不是两种方式)。这意味着反向查找将无法正常工作,这将导致您正在面对的问题。没有办法使反向posix组查找与 dynlist 一起使用。
然而,OpenLDAP网站上还有另一个模块可用于我。它被称为 autogroup 。这是一个静态组维护模块。这种分组方法不涉及动态数据,而是由自动组模块自动管理的REAL数据。但是,它被配置为类似于 dynlist 组,因为它使用标签的属性来允许存储过程。
当我意识到 dynlist 的缺点时,我也很失望,我应该指出,自动组仍然有些实验性。仔细测试并报告任何错误到OpenLDAP。
我希望这有助于...
最大
I have problem with OpenLdap and permission to file.
First - I set this in my slapd.conf:
overlay dynlist
dynlist-attrset labeledURIObject labeledURI
Second - I make cn=test,ou=Projects,dc=example,dc=com with:
dn: cn=test,ou=Projects,dc=example,dc=com
gidNumber: 6789
objectClass: posixGroup
objectClass: top
objectClass: labeledURIObject
labeledURI: ldap:///cn=testgroup,ou=Groups,dc=example,dc=com?memberUid?sub?
(objectClass=posixGroup)
memberUid: user1 (dynamic)
memberUid: user2 (dynamic)
in cn=testgroup,ou=Groups,dc=example,dc=com i have memberuid: user1 and memberUid: user2
Third - when i made getent group test I have:
test:*:6789:user1,user2
But when I try id user1 i didn't see this group :(
And next I set chmod 770 dir and chown root.test dir and try access to this dir.
But of course it is not possible because the user is not in this group (that said "id").
Does anyone know the solution?
Third - when i made getent group test I have:
test:*:6789:user1,user2
But when i try id user1 i didn't see this group :(
Unfortunately dynamic lists (dynlists) are ONE WAY groups (not TWO way). This means that reverse lookups won't work, which causes the very issue you are now facing. There is no way to make reverse posix group lookups work with dynlist.
HOWEVER, there is another module available somewhere on OpenLDAP's site I believe. It is called autogroup. This is a static-group maintainer module. This method of grouping does not involved dynamic data, rather it is REAL data that is automagically managed by the autogroup module. However, it is configured similar to a dynlist group as it uses the labeledURI attribute to allow a "stored procedure" so to speak.
I too was disappointed when I realized the shortcomings of dynlist, and I should point out that autogroup is still somewhat experimental. Test thoroughly and report any bugs to OpenLDAP.
I hope this helps...
Max
这篇关于Openldap + dynlist + posixGroup的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
