I have two questions on same line, and these answers will be very helpful.
The MemberOf plugin works wonderful using SSSD at client side,
however, is it possible to have the same kind of Control at the Server
I mean, could I have the ability to control user's Authentication on a
Host machine based on it's group or other parameter very much the same
way that now I am doing with memberOf/sssd.conf at the Host Machine.
I know this is not IPA group, in case someone knows. Does IPA supports
that feature at the server side? or using sssd.conf at the host machine?
Any pointers to RTFM would also be helpful. :-)
On Friday, March 22, 2013, Chandan Kumar wrote:
ops! my bad. Thank you so much for pointing that out. Now I could
see MemberOf attribute in my user entries.
On Friday, March 22, 2013, Rich Megginson wrote:
On 03/22/2013 11:06 AM, Chandan Kumar wrote:
> So far I have been managed to do some setup of 389 server,
> thanks to prompt community.
> Now, I am having some trouble in getting the MemberOf plugin
> work for 389-ds-base-22.214.171.124-11. When I add a user into a
> group, the memberOf attribute is not being added to the user
> While googling a bit I came across an older post of this group
> based on that, I checked dse.ldif and the Plugin
> configuration also looks good.
Too bad that google didn't send you here:
"126.96.36.199. Object Classes Which Support memberof Attributes
The most common people object classes — such as inetorgperson
and person — do not allow the memberOf attribute. To allow the
MemberOf Plug-in to add the memberOf attribute to a user
entry, make sure that that entry belongs to the inetUser
object class, which does allow the memberOf attribute."
Even in the link you posted:
" objectClass: shadowaccount
> dn: cn=MemberOf Plugin,cn=plugins,cn=config
> objectClass: top
> objectClass: nsSlapdPlugin
> objectClass: extensibleObject
> cn: MemberOf Plugin
> nsslapd-pluginPath: libmemberof-plugin
> nsslapd-pluginInitfunc: memberof_postop_init
> nsslapd-pluginType: postoperation
> nsslapd-pluginEnabled: on
> nsslapd-plugin-depends-on-type: database
> memberofgroupattr: uniqueMember
> memberofattr: memberOf
> nsslapd-pluginId: memberof
> nsslapd-pluginVersion: 188.8.131.52
> nsslapd-pluginVendor: 389 Project
> nsslapd-pluginDescription: memberof plugin
> modifiersName: cn=directory manager
> modifyTimestamp: 20130322162350Z
> The way I am adding users :
> dn: uid=chandank,ou=People,dc=ma,dc=net
> objectclass: person
> objectclass: inetorgperson
> objectclass: posixAccount
> cn: Chandan
> sn: k
> givenName: chandank
> objectclass: mepOriginEntry
> mepManagedEntry: cn=chandank
> homeDirectory: /home/chandank
> loginShell: /bin/bash
> The way I am adding them into a group:
> dn: cn=sys,ou=Groups,dc=ma,dc=net
> changetype: modify
> add: uniqueMember
> uniqueMember: uid=chandank,ou=People,dc=ma,dc=net
> And after I have added the user I am expecting an MemberOf
> attribute entry in the user entry itself. I am not sure
> whether it is the right way to do so.
> For the records: Having MemberOf attribute in the user entry
> would allow me use ldap Access filters in sssd.conf file eg.
> "ldap_access_filter =
> memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com" and
> hence will be able to restrict users from login on different