Hello. My question is simple. I need to create unix group. If i try to do this via New->Group, then i can''t see posixGroup. So i can add posixGroup only manually by adding needed attributes. But i want to add via console such as i can add new user. Thanks
On Thu, 2009-05-21 at 18:07 +0600, Dmitry Amirov wrote:> Hello. > > My question is simple. I need to create unix group. If i try to do this > via New->Group, then i can''t see posixGroup. So i can add posixGroup > only manually by adding needed attributes. But i want to add via console > such as i can add new user.<snip> If I correctly understand what you want, what I typically do is create the group, click on Advanced and add the posixgroup attribute. I then simply add users who have previously had the posixAccount attribute added to their definition. I also find in RedHat style systems that I need to add the posixgroup attribute to the users. Hope this helps - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan@opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society
Hi John. Yes, it''s a solution. But i want to add groups such ad users. When i creating user account, i can click on posixAccount and fill needed parameters. If i want to create posixGroup i need to add group and then click Advanced and add posixGroup Manually. John A. Sullivan III wrote:> On Thu, 2009-05-21 at 18:07 +0600, Dmitry Amirov wrote: > >> Hello. >> >> My question is simple. I need to create unix group. If i try to do this >> via New->Group, then i can''t see posixGroup. So i can add posixGroup >> only manually by adding needed attributes. But i want to add via console >> such as i can add new user. >> > <snip> > If I correctly understand what you want, what I typically do is create > the group, click on Advanced and add the posixgroup attribute. I then > simply add users who have previously had the posixAccount attribute > added to their definition. I also find in RedHat style systems that I > need to add the posixgroup attribute to the users. Hope this helps - > John >
John A. Sullivan III wrote:> On Thu, 2009-05-21 at 18:07 +0600, Dmitry Amirov wrote: >> Hello. >> >> My question is simple. I need to create unix group. If i try to do this >> via New->Group, then i can''t see posixGroup. So i can add posixGroup >> only manually by adding needed attributes. But i want to add via console >> such as i can add new user. > <snip> > If I correctly understand what you want, what I typically do is create > the group, click on Advanced and add the posixgroup attribute. I then > simply add users who have previously had the posixAccount attribute > added to their definition.I think instead of "add attribute" you meant to say "add auxiliary object class". But please note that the object classes groupOfNames/groupOfUniqueNames and posixGroup are all defined as STRUCTURAL. Strictly speaking in the spirit of LDAPv3 compliance an entry can only have exactly one STRUCTURAL object class (including the inherited STRUCTURAL object classes). Although the 389 DS does not prevent you from creating an entry like this objectClass: groupOfUniqueNames objectClass: posixGroup you shouldn''t do that since it might lead to interop problems.> I also find in RedHat style systems that I > need to add the posixgroup attribute to the users.??? ''posixGroup'' is an auxiliary object class containing the members'' ''uid'' value in its multi-valued attribute ''memberUid''. Despite the issues with STRUCTURAL I don''t see any reason to add this object class to a person or account entry anyway. Ciao, Michael.
Dmitry Amirov wrote:> But i want to add groups such ad users. When i creating user account, i > can click on posixAccount and fill needed parameters. > If i want to create posixGroup i need to add group and then click > Advanced and add posixGroup Manually.How about just using another LDAP client dedicated to the maintenance of this data? Ciao, Michael.
Hello Michael. Yes, i know. I am using openldap already 4 years. And i want centralized system. I thought that 389 DS this system with full featured GUI. I wish to comfortably add groups, users, to operate mail records (qmailUser). Or i need to use other clients with 389 DS such as gq? Thanks I just want to Michael Ströder wrote:> Dmitry Amirov wrote: > >> But i want to add groups such ad users. When i creating user account, i >> can click on posixAccount and fill needed parameters. >> If i want to create posixGroup i need to add group and then click >> Advanced and add posixGroup Manually. >> > > How about just using another LDAP client dedicated to the maintenance of > this data? > > Ciao, Michael. > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
On Thu, 2009-05-21 at 15:28 +0200, Michael Ströder wrote:> John A. Sullivan III wrote: > > On Thu, 2009-05-21 at 18:07 +0600, Dmitry Amirov wrote: > >> Hello. > >> > >> My question is simple. I need to create unix group. If i try to do this > >> via New->Group, then i can''t see posixGroup. So i can add posixGroup > >> only manually by adding needed attributes. But i want to add via console > >> such as i can add new user. > > <snip> > > If I correctly understand what you want, what I typically do is create > > the group, click on Advanced and add the posixgroup attribute. I then > > simply add users who have previously had the posixAccount attribute > > added to their definition. > > I think instead of "add attribute" you meant to say "add auxiliary > object class". > > But please note that the object classes groupOfNames/groupOfUniqueNames > and posixGroup are all defined as STRUCTURAL. Strictly speaking in the > spirit of LDAPv3 compliance an entry can only have exactly one > STRUCTURAL object class (including the inherited STRUCTURAL object > classes). Although the 389 DS does not prevent you from creating an > entry like this > > objectClass: groupOfUniqueNames > objectClass: posixGroup > > you shouldn''t do that since it might lead to interop problems. > > > I also find in RedHat style systems that I > > need to add the posixgroup attribute to the users. > > ??? > > ''posixGroup'' is an auxiliary object class containing the members'' ''uid'' > value in its multi-valued attribute ''memberUid''. Despite the issues with > STRUCTURAL I don''t see any reason to add this object class to a person > or account entry anyway. > > Ciao, Michael.<snip> Thanks very much for the clarification as I am (obviously) LDAP ignorant. Yes, I did mean add an objectclass. Unfortunately, I think we''re a bit stuck because of RedHat''s (useful) use of user groups. Since most of the user directory files are owned by a group with the same name as the user, I have major issues if I do not do this. I suppose the correct solution would be to create a group of the same name but then we hit potential problems with non-unique cn if we match uid and cn and preserve uniqueness. What do others do? Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan@opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society
Dmitry Amirov wrote:> Hello Michael. > Yes, i know. I am using openldap already 4 years. And i want centralized > system. I thought that 389 DS this system with full featured GUI. > > I wish to comfortably add groups, users, to operate mail records > (qmailUser). Or i need to use other clients with 389 DS such as gq? >The problem is that the 389 console User&Group editor is not easily extensible - that is, it will not automatically discover object classes for entries and display some sort of automatic UI for them, nor will it easily allow you to add custom screens/tabs based on objectclass. If you are a Java hacker, you could probably do this pretty easily (I would help someone get set up with Eclipse), and receive the adoration of millions (well, hundreds maybe) for adding this often requested functionality.> Thanks > > > I just want to > > Michael Ströder wrote: > >> Dmitry Amirov wrote: >> >> >>> But i want to add groups such ad users. When i creating user account, i >>> can click on posixAccount and fill needed parameters. >>> If i want to create posixGroup i need to add group and then click >>> Advanced and add posixGroup Manually. >>> >>> >> How about just using another LDAP client dedicated to the maintenance of >> this data? >> >> Ciao, Michael. >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users@redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Dmitry Amirov wrote:> I wish to comfortably add groups, users, to operate mail records > (qmailUser). Or i need to use other clients with 389 DS such as gq?gq is not maintained anymore and is buggy. It is also just a very generic LDAP client without any knowledge about the semantics of e.g. POSIX-related directory entries. There are various clients which claim to have good support for POSIX account data. I have some doubts including maintaining the POSIX account data with my own web2ldap if you don''t have enough knowledge. A decent LDAP client should support some auto-magic (e.g. based on a UID pool entry) for concurrently assigning uidNumber to posixAccount entries and gidNumber for posixGroup entries. You could do that manually with almost all clients and let the LDAP server enforce uniqueness after adding/modifying the entry though. Additionally you might want to have some side-effects like generating home directories etc. IIRC GOSA can do this. Your mileage may vary. Ciao, Michael.
Michael Ströder wrote:> There are various clients which claim to have good support for POSIX > account data. I have some doubts including maintaining the POSIX account > data with my own web2ldap if you don''t have enough knowledge.For those of you who want to just try web2ldap on a posixAccount entry hit this URL and play around with it: http://demo.web2ldap.de:1760/web2ldap?ldap://ldap.uninett.no/uid%3Dvenaas%2Ccn%3Dusers%2Ccn%3Dposix%2Cdc%3Duninett%2Cdc%3Dno??base Obviously there''s no write access there but you can look at how web2ldap handles different LDIF templates and HTML snippet templates for object classes when displaying the entry or when generating input forms. And you can try the group administration UI. It also lets you select group entries in a select list for the primary group (attribute gidNumber) of a posixAccount entry. The latter is done with the help of a web2ldap plugin class. More notes on customizing the UI: http://web2ldap.de/usability.html Ciao, Michael.
Michel, hello and thanks for your participation in this newsgroup. The first URL doesn''t work for me. Mozilla''s logo keeps spinning and I suspect it will eventually timeout. Thanks again, Dave Michael Ströder wrote:> Michael Ströder wrote: > >> There are various clients which claim to have good support for POSIX >> account data. I have some doubts including maintaining the POSIX account >> data with my own web2ldap if you don''t have enough knowledge. >> > > For those of you who want to just try web2ldap on a posixAccount entry > hit this URL and play around with it: > > http://demo.web2ldap.de:1760/web2ldap?ldap://ldap.uninett.no/uid%3Dvenaas%2Ccn%3Dusers%2Ccn%3Dposix%2Cdc%3Duninett%2Cdc%3Dno??base > > Obviously there''s no write access there but you can look at how web2ldap > handles different LDIF templates and HTML snippet templates for object > classes when displaying the entry or when generating input forms. > > And you can try the group administration UI. It also lets you select > group entries in a select list for the primary group (attribute > gidNumber) of a posixAccount entry. The latter is done with the help of > a web2ldap plugin class. > > More notes on customizing the UI: > http://web2ldap.de/usability.html > > Ciao, Michael. > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > >