LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 05-19-2009, 10:26 AM   #1
ncsuapex
Member
 
Registered: Dec 2004
Location: Raleigh, NC
Distribution: CentOS 2.6.18-53.1.4.el5
Posts: 770

Rep: Reputation: 44
several questions about ldap (adding new groups/users/etc)


Sorry for the generic thread title but not sure how to cram my questions into a short subject.


I have successfully set up an ldap server on CentOS 5.2 server. I can log onto a client machine using the user I created. My questions are geared towards maintenance as my user/groups list grow.


Whats the best way to add new users and new groups?


Ive seen several references to migrating the passwd/shadow files into ldap files but Im not sure I want to go that route. I'd rather keep all the users/groups in the ldap directory and away from having them locally on my ldap server and then migrating them into ldap.


I created an initial groups.ldif file and an initial users.ldif file. But if I try to add new users and groups I get errors:

example:
groups.ldif
(current)
dn: cn=users,ou=Group,dc=domain,dc=com
objectClass: posixGroup
objectClass: top
cn: users
userPassword: {crypt}x
gidNumber: 20


then if I add an entry like this to the file:

dn: cn=test,ou=Group,dc=domain,dc=com
objectClass: posixGroup
objectClass: top
cn: test
userPassword: {crypt}x
gidNumber: 21


run this command:

ldapmodify -W -x -D "cn=Manager,dc=domain,dc=com" -f groups.ldif

get this error:
modifying entry "cn=test,ou=Group,dc=domain,dc=com"
ldap_modify: No such object (32)


I can add a new file and run the same command with the new file name and it runs successfully. But I would rather not have a new file every time I create a new user/group.
matched DN: ou=Group,dc=domain,dc=com
 
Old 05-19-2009, 05:30 PM   #2
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,159
Blog Entries: 1

Rep: Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021
Quote:
Whats the best way to add new users and new groups?
IMHO the best way to add entries in openldap is to use ldapadd with the appropriate ldif file.
Quote:
I can add a new file and run the same command with the new file name and it runs successfully. But I would rather not have a new file every time I create a new user/group.
If you prefer using the ldapmodify utility with the same ldif (by adding entries at the end of the file) then you have to use -ac options (add and continue on errors):
Code:
ldapmodify -W -acx -D "cn=Manager,dc=domain,dc=com" -f groups.ldif
Regards
 
Old 05-20-2009, 07:32 AM   #3
ncsuapex
Member
 
Registered: Dec 2004
Location: Raleigh, NC
Distribution: CentOS 2.6.18-53.1.4.el5
Posts: 770

Original Poster
Rep: Reputation: 44
Quote:
ldapmodify -W -acx -D "cn=Manager,dc=domain,dc=com" -f groups.ldif


Ahhh yes... That worked perfectly for a group I added to my groups.ldif file. Thanks!
 
Old 05-21-2009, 02:53 PM   #4
ncsuapex
Member
 
Registered: Dec 2004
Location: Raleigh, NC
Distribution: CentOS 2.6.18-53.1.4.el5
Posts: 770

Original Poster
Rep: Reputation: 44
Decided to install phpldapadmin to see if it would be easier to manage my users/etc. So far I like it, it does make adding users/groups easier. But one thing I can't figure out how to do is add multiple groups to a user.

When I add a user I can add a gidNumber for its primary group. But I can not figure out how to add secondary groups. I have several groups added in their own ou.

Any hints on how to add multiple groups to a user?


Thanks!
 
Old 05-21-2009, 03:12 PM   #5
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,159
Blog Entries: 1

Rep: Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021
Hi,

You might take a look at this discussion if you want to assign multiple groups to a user.

Regards
 
Old 05-22-2009, 07:53 AM   #6
ncsuapex
Member
 
Registered: Dec 2004
Location: Raleigh, NC
Distribution: CentOS 2.6.18-53.1.4.el5
Posts: 770

Original Poster
Rep: Reputation: 44
Hmmmm, I followed the link and wasn't smart enough to figure it out based on the discussion so I googled groupofnames and found a way to add it using phpldapadmin. Upon further review I dont think this is going to work for me. I need to add users to groups so they can perform work on the servers as member of a group. Say I want to my web guy to edit the website, so I add him to the apache group, but I also need him to be a part of the mysql group because some of the website functions run through mysql. He needs to be a member of both groups. Right now I can only assign him to one group.


I think the groupofnames is for organization maybe? And not to grant access.
 
Old 05-22-2009, 08:50 AM   #7
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,159
Blog Entries: 1

Rep: Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021
Actually I've searched for the memberof attribute in openldap and ended up on that link.
I'm aware of this attribute because we also use the Sunone Directory Server where it is available, along with acls defining roles for users depending on this atttribute. Sort of what you want to do with openldap.
You can give it a try as it's free for download and see if it fits your needs.
BTW what happens if you assign more that one member attribute to a user, like the example in the link I gave you? Assuming of course that you have also added the groupOfNames objectclass
 
Old 05-22-2009, 03:28 PM   #8
ncsuapex
Member
 
Registered: Dec 2004
Location: Raleigh, NC
Distribution: CentOS 2.6.18-53.1.4.el5
Posts: 770

Original Poster
Rep: Reputation: 44
Ive already removed those entries. But from what I can remember it created a listing under my Group with the new cn=newgroupname and it had as memebers the 2 members I added. But there was no gidNumber or any number suggesting that it had any group level privileges and when i did an "id username" on one of my ldap clients it just listed its original group.


I think with some combination of ldapmodify and something along this line should work. Ive tried several different combos and keep getting errors.

dn: cn=user1,ou=Group,dc=example,dc=com
changetype: add
objectclass: posixGroup
cn:user1
gidNumber:1000


When I tried that(changing the values for my setup) it actually added a new group under my Group list. There has to be a way to add a group to a user through something similiar.
 
Old 05-22-2009, 05:55 PM   #9
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,159
Blog Entries: 1

Rep: Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021
I don't think this is a good way to proceed. I suggest you to create the various groups, like:
Quote:
dn: cn=Group1,dc=...
...

dn: cn=Group2,dc=...
...

dn: cn=Group3,dc=...
...
Put the users under ou=people or something like that and add the groups you want them to belong:
Quote:
dn: cn=user1,ou=people,dc=...
...
...
objectClass groupOfNames
...
...
member: cn=Group1,dc=...
member: cn=Group2,dc=...

dn: cn=user2,ou=people,dc=...
...
...
objectClass groupOfNames
...
...
member: cn=Group1,dc=...
member: cn=Group1,dc=...
member: cn=Group3,dc=...
and see if it works.
 
Old 05-26-2009, 12:23 PM   #10
ncsuapex
Member
 
Registered: Dec 2004
Location: Raleigh, NC
Distribution: CentOS 2.6.18-53.1.4.el5
Posts: 770

Original Poster
Rep: Reputation: 44
Turns out I was making this much harder than it was.

When I made my groups under
ou=Group,dc=domian,dc=com

I didnt create them right, even though I had created them as Posix Group. I added a new one in phpldapadmin and it let me give it a gidNumber and memberUid. I can just add members to the memberUid and it adds them to that group.


Thanks for your help.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Adding a disk quota to all samba users on LDAP jax8 Linux - Server 6 12-29-2009 03:33 AM
Creating groups and adding users to that group tehfatal Linux - Newbie 2 04-01-2007 12:42 AM
webmin open ldap users and groups talkinggoat Linux - Software 0 01-24-2007 12:53 PM
adding users to groups in with in console binary1011100 Linux - Newbie 3 11-18-2006 02:15 PM
creating groups, adding users, and setting permissions bowie101 Linux - Newbie 2 11-23-2005 12:42 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 03:30 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration