Unfortunately, this filter does not seem to be effective.
The filter_groups statement in the [nss] section only allows to exclude groups to my knowledge, we are looking for a way to include / permit only a few groups.
ldap_access_filter = memberOf=cn=…
Unfortunately, this filter does not seem to be effective.
does your LDAP server support “memberOf”? If you’re running OpenLDAP, you need the according overlay active and need to have all group memberships updated for the users in question: “The memberof overlay updates an attribute (by default memberOf) whenever changes occur to the membership attribute (by default member) of entries of the objectclass (by default groupOfNames) configured to trigger updates.”
Also, you’ll have to have “access_provider = ldap” active in your [domain/ldap] section.
ldap_access_filter = memberOf=cn=…
Unfortunately, this filter does not seem to be effective.
does your LDAP server support “memberOf”? If you’re running OpenLDAP, you need the according overlay active and need to have all group memberships updated for the users in question: “The memberof overlay updates an attribute (by default memberOf) whenever changes occur to the membership attribute (by default member) of entries of the objectclass (by default groupOfNames) configured to trigger updates.”
Also, you’ll have to have “access_provider = ldap” active in your [domain/ldap] section.
Regards,
Jens[/QUOTE]
Jens, thanks for this hint.
Seems we are stuck, as we use posixgroup, and that does not seem to work with memberof overlay.
while I have absolutely no information on the current implementation status - have you actually tried to use it and received that error response, or are you judging only by that 6 years old message?
Jens, yes I tried it. and was unable to start the OpenLDAP daemon at all:
[QUOTE]myhost:/etc/openldap # tail -3 slapd.conf
overlay memberof
memberof-group-oc posixgroup
memberof-member-ad memberUid
myhost:/etc/openldap # service ldap restart
Shutting down ldap-server…done
Starting ldap-serverstartproc: exit status of parent of /usr/lib/openldap/slapd: 1
…failed
myhost:/etc/openldap # tail /var/log/localmessages
Dec 17 14:03:20 myhost slapd[8822]: ==> ppolicy_cf_default
Dec 17 14:03:20 myhost slapd[8822]: ==> ppolicy_cf_default add
Dec 17 14:03:20 myhost slapd[8822]: line 212 (ppolicy_hash_cleartext)
Dec 17 14:03:20 myhost slapd[8822]: line 216 (overlay memberof)
Dec 17 14:03:20 myhost slapd[8822]: line 217 (memberof-group-oc posixgroup)
Dec 17 14:03:20 myhost slapd[8822]: line 218 (memberof-member-ad memberUid)
Dec 17 14:03:20 myhost slapd[8822]: /etc/openldap/slapd.conf: line 218: member attribute=“memberUid” must either have DN (1.3.6.1.4.1.1466.115.121.1.12) or nameUID (1.3.6.1.4.1.1466.115.121.1.34) syntax.
Dec 17 14:03:20 myhost slapd[8822]: slapd destroy: freeing system resources.
Dec 17 14:03:20 myhost slapd[8822]: slapd stopped.
Dec 17 14:03:20 myhost slapd[8822]: connections_destroy: nothing to destroy.
myhost:/etc/openldap #
[/QUOTE]
Thomas,
I don’t have an openLDAP instance accessible at the moment to test against but perhaps try this:
Use the ldapsearch utility (part of the openldap-clients package) and search for one of your users needing access using an admin user with all rights to get the full set of attributes and values returned.
Determine which attribute will work in your case (member, memberOf, posixGroup, groupOfNames, etc) and implement the LDAP access provider using the selected attribute:
