Hi, I've installed openldap 2.0.23 on a server and a client and all seems to work fine (AFAICTAICTM) In Zope I've installed LDAPUserFolder 1.5b1 and I can see no group. I can see all users though. My users base DN is : ou=People,dc=my,dc=domain,dc=org My groups base DN is : ou=Group,dc=my,dc=domain,dc=org Both ZLDAPConnection and ZLDAPMethod seem to work ok. Since it's openlap and not Netscape's one I don't think the restictions mentionned in th README apply, but I really don't know much. any help appreciated. Jerome Alet
do the groups you think you should see have any member records in them? jens On Monday, June 24, 2002, at 11:08 , Jerome Alet wrote:
Hi,
I've installed openldap 2.0.23 on a server and a client and all seems to work fine (AFAICTAICTM)
In Zope I've installed LDAPUserFolder 1.5b1 and I can see no group.
I can see all users though.
My users base DN is : ou=People,dc=my,dc=domain,dc=org My groups base DN is : ou=Group,dc=my,dc=domain,dc=org
Both ZLDAPConnection and ZLDAPMethod seem to work ok.
Since it's openlap and not Netscape's one I don't think the restictions mentionned in th README apply, but I really don't know much.
any help appreciated.
Jerome Alet
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
On Mon, Jun 24, 2002 at 11:38:35AM -0400, Jens Vagelpohl wrote:
do the groups you think you should see have any member records in them?
yes, I've got some groups which have a user list explicitly set : --- CUT --- port50-2:~$ ldapsearch -x -b "dc=my,dc=domain,dc=org" cn=groupe1 |less version: 2 # # filter: cn=groupe1 # requesting: ALL # # groupe1, Group, my, domain, org dn: cn=groupe1,ou=Group,dc=my,dc=domain,dc=org objectClass: posixGroup objectClass: top cn: groupe1 gidNumber: 666 memberUid: jerome memberUid: elvis --- CUT --- but I don't see these groups. as for the "empty" groups I'll fill them if needed... bye Jerome Alet
the group you chose (posixGroup) does not conform to the expected group structure as far as the member attribute (memberUid in this case) is concerned. supported groups are only those where the member attribute contains the _full distinguished name_, such as... - groupOfUniqueNames -> uniqueMember - groupOfName -> member - group -> member jens On Monday, June 24, 2002, at 11:47 , Jerome Alet wrote:
On Mon, Jun 24, 2002 at 11:38:35AM -0400, Jens Vagelpohl wrote:
do the groups you think you should see have any member records in them?
yes, I've got some groups which have a user list explicitly set :
--- CUT --- port50-2:~$ ldapsearch -x -b "dc=my,dc=domain,dc=org" cn=groupe1 |less version: 2
# # filter: cn=groupe1 # requesting: ALL #
# groupe1, Group, my, domain, org dn: cn=groupe1,ou=Group,dc=my,dc=domain,dc=org objectClass: posixGroup objectClass: top cn: groupe1 gidNumber: 666 memberUid: jerome memberUid: elvis --- CUT ---
but I don't see these groups.
as for the "empty" groups I'll fill them if needed...
bye
Jerome Alet
On Mon, Jun 24, 2002 at 11:59:45AM -0400, Jens Vagelpohl wrote:
the group you chose (posixGroup) does not conform to the expected group structure as far as the member attribute (memberUid in this case) is concerned.
supported groups are only those where the member attribute contains the _full distinguished name_, such as...
- groupOfUniqueNames -> uniqueMember - groupOfName -> member - group -> member
If ever I had chosen that ! I've used the padl MigrationTools4.0 to migrate my current /etc/passwd and /etc/group and that's about all I know... OT : What could I do to change this ? Thanks in advance Jerome Alet
look at the SAMPLE_RECORDS.txt file that is part of the package to see an example grup record. you can also use the LDAPUserFolder to create a new group and add users to it, then examine the group and its structure. i cannot help you on migrating your existing groups, though. i know that the structure as provided by those PADL tools must be retained if you want to use LDAP authentication for your computers, like with the NSS-LDAP package. maybe those tools allow you to specify the creation of other groups? if your number of groups is small you could even take the groups information created by the PADL tools and massage it by hand to get the desired result. jens On Monday, June 24, 2002, at 12:04 , Jerome Alet wrote:
On Mon, Jun 24, 2002 at 11:59:45AM -0400, Jens Vagelpohl wrote:
the group you chose (posixGroup) does not conform to the expected group structure as far as the member attribute (memberUid in this case) is concerned.
supported groups are only those where the member attribute contains the _full distinguished name_, such as...
- groupOfUniqueNames -> uniqueMember - groupOfName -> member - group -> member
If ever I had chosen that ! I've used the padl MigrationTools4.0 to migrate my current /etc/passwd and /etc/group and that's about all I know...
OT : What could I do to change this ?
Thanks in advance
Jerome Alet
On Mon, Jun 24, 2002 at 12:57:56PM -0400, Jens Vagelpohl wrote:
look at the SAMPLE_RECORDS.txt file that is part of the package to see an example grup record. you can also use the LDAPUserFolder to create a new group and add users to it, then examine the group and its structure. ... i know that the structure as provided by those PADL tools must be retained if you want to use LDAP authentication for your computers, like with the NSS-LDAP package. maybe those tools allow you to specify the creation of other groups?
Yes, I wanted to keep the same authentication mechanism for some dual boot (linux+samba+W2K) workstations and a Zope application, but I don't know if there's any drawback when setting additional non-unix-related groups or when modifying the default ones. I think I'll enter nightmare mode real soon now :-(
if your number of groups is small you could even take the groups information created by the PADL tools and massage it by hand to get the desired result.
That's something I'll try. Thanks for the tip. information on all this is very sparse, unfortunately. if I ever manage to get all this working then I'll make an howto, unless one already exists bye, Jerome Alet
Jerome Alet writes:
On Mon, Jun 24, 2002 at 11:38:35AM -0400, Jens Vagelpohl wrote:
do the groups you think you should see have any member records in them?
yes, I've got some groups which have a user list explicitly set :
--- CUT --- port50-2:~$ ldapsearch -x -b "dc=my,dc=domain,dc=org" cn=groupe1 |less version: 2
# # filter: cn=groupe1 # requesting: ALL #
# groupe1, Group, my, domain, org dn: cn=groupe1,ou=Group,dc=my,dc=domain,dc=org objectClass: posixGroup objectClass: top cn: groupe1 gidNumber: 666 memberUid: jerome memberUid: elvis --- CUT --- LDAPUserFolder looks for a different attribute:
"uniqueMember" for "objectClass: groupOfUniqueNames" and "member" for "objectClass: groupOfNames" and "objectClass: group". Either, you define them or you need to extend "GROUP_MEMBER_MAP" in "LDAPUserFolder". Dieter
participants (3)
-
Dieter Maurer -
Jens Vagelpohl -
Jerome Alet