I'm new to 389-ds and last week downloaded and installed the software.
I have a running instance of the server, and I've added TLS/SSL. I've configured
a CentOS 7 client to be able to query
the server using TLS/SSL, and all appears working.
I've created users and groups on the 389-ds server successfully. For each user and
group, I've enabled posix attributes and my client
can see the unix users and groups using the "getent password" or "getent
Now, here's where I'm getting tripped up..........
I need to limit which users have access to which systems. I've been trying to do this
via memberOf group limitations.
I found the following online resource
which is close enough to CentOS that the initial commands worked.
I enabled the MemberOf plugin and changed the attributes per the link, and restarted the
I created a test group (that I didn't enable a posix GID) and tried to add a single
Right click on group -- > click Properties --> then Members --> click Add
--> Search for user --> click Add.
When I try to go this route (which worked before enabling the memberOf plugin) it worked.
Now it seems I get the error:
"Cannot save to directory server.
netscape.ldap.LDAPException: error resiult(65): Object class violation"
And the messages file throws the error
"Entry "uid=test,ou=People,dc=int,dc=com" -- attribute "memberOf"
[17/Feb/2016:11:22:58 -0700] memberof-plugin - memberof_postop_modify: failed to add dn
(cn=testgroup,ou=Groups,dc=int,dc=com) to target. Error (65)"
So it seems my server isn't quite using the memberOf plugin properly, but I'm not
sure what else to enable. I'll have to solve this issue before
I even try to filter login access via groups on my client system.
I should mention that if I go under the advanced tab for one of the groups I created, I
can add the the attribute "uniquemember", but I'm not sure what I
should set the "value" to be.
I've tried creating new users to see if I could set their "uniquemember"
attributes, but no luck. It seems that I don't have the ability to set this
on individual users, only groups.
This might not be the right road to head down when trying to restrict access to servers
via groups, so I'm open to any suggestions.
Any suggestions would be appreciated.