Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
N
N
Nikita Bykov2011-11-29 14:17:43
LDAP
Nikita Bykov, 2011-11-29 14:17:43

LDAP attribute memberOf in OpenLdap & SAMBA

Hello dear!

Without preamble, let's get to the point:
In Active Directory, the "user" object has a memberOf attribute in which the groups of which it is a member are registered. We deployed an openLDAP-based LDAP server, attached Samba to it, and it turned out that there is no such attribute in the schema. Tell me, please, how realistic is it:

1) To add this attribute to the scheme for the user and so that samba does not fall?
2) By what automatic means is it better to add values ​​to it? Maybe someone already made a script for this?

Thank you in advance!

PS for those who recommend installing a Win2008 server - policies and other management are not particularly important to us, first of all, our goal at the exit is a single database of users and passwords, so in general this solution suits us, except for this problem.

UPDATE:
Samba in my task is generally "on the side". I authorize with a php script that maps groups in LDAP and compares with internal ones. the script has its own access control system. I suspect that this script is not the only one that works this way, so looking ahead, I want to solve the problem once and for all, because this script is open, I can fix it, and there are also closed products ...

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
G
gaussgs, 2011-11-29
@gaussgs

Samba has a slightly different group organization scheme. Samba takes groups from the section specified in the ldap group suffix parameter of the smb.conf file: Samba will look for groups of the form cn=groupname,ou=Group,dc=domain,dc=tld. An example of an ldif file with a description of one group: A convenient editor for Ldap is ldapadmin.sourceforge.net/ , there are also all the necessary templates for users and groups.
...
ldap suffix = dc=domain,dc=tld
ldap user suffix = ou=People
ldap group suffix = ou=Group
....

dn: cn=Students,ou=DomainGroups,ou=Group,dc=domain,dc=tld
objectClass: sambaGroupMapping
objectClass: posixGroup
sambaGroupType: 2
sambaSID: S-1-5-21-1111111111-1111111111-1111111111-3003
gidNumber: 1001
cn: Students
memberUid: user999
memberUid: user998
memberUid: user997

Report
N
Nikita Bykov, 2011-11-30
@smarteq

Okay, let me clarify the question.
Is it possible to do this:
1) Create /etc/ldap/schema/custom.schema
2) Add this memberOf attribute to this file
3) Include this file in /etc/ldap/slapd.conf
...
Is it possible to do this or not?

Report
L
le9i0nx, 2015-07-22
@le9i0nx

for old settings via conf
pro-ldap.ru/tr/man/slapo-memberof.5.html
www.admin-linux.fr/?p=1453
www.openldap.org/doc/admin24/overlays.html#Reverse. ..
for new settings via ldif
https://github.com/github/github-ldap/blob/master/...
with a crutch on the side, but it's convenient not to change the data for the memberUid field
blog.oddbit.com/2013/07/22 /generating-a-membero

Similar questions
D
Denis Grigorov2020-06-05 16:13:03
How to make LDAP authorization on web resources with two domain controllers? 2Reply
G
gadzhikuliev2018-06-27 12:55:15
Why doesn't Squid authenticate through Actice Directory? 1Reply
N
Nikolay Baranenko2018-07-29 15:04:26
How to properly convert/transfer LDAP password with ampersand symbol? 0Reply
K
Kirill Sirenko2014-02-10 18:25:34
How to parse and display on the site or upload a large number of ldap records to the site's mysql database? 2Reply
K
Koal Koalich2018-09-19 09:39:53
How to get all addresses from Kerio using ldap? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question