问题描述

我有OpenLdap的问题和文件的权限。

首先 - 我将其设置在我的slapd.conf中：

  overlay dynlist 
 dynlist-attrset labeledURIObject labeledURI 
  

第二 - 我做cn = test，ou = Projects，dc = example，dc = com with：

  dn： cn = test，ou = Projects，dc = example，dc = com 
 gidNumber：6789 
 objectClass：posixGroup 
 objectClass：top 
 objectClass：labeledURIObject 
 labeledURI：ldap ：/// cn = testgroup，ou = Groups，dc = example，dc = com？memberUid？sub？ 
（objectClass = posixGroup）
 memberUid：user1（动态）
 memberUid：user2（动态）
  

在 cn = testgroup，ou = Groups，dc = example，dc = com 我有memberuid：user1和memberUid：user2

第三 - 当我做了getent组测试，我有：

  test：*： 6789：user1，user2 
  

但是当我尝试id user1我没有看到这个组：（

然后我设置 chmod 770 dir 和 chown root.test dir 并尝试访问此目录。

但是当然这是不可能的，因为用户不在这个组（即所谓的id）。 p>

有人知道解决方案吗？

Unfortunately dynamic lists (dynlists) are ONE WAY groups (not TWO way). This means that reverse lookups won't work, which causes the very issue you are now facing. There is no way to make reverse posix group lookups work with dynlist.

HOWEVER, there is another module available somewhere on OpenLDAP's site I believe. It is called autogroup. This is a static-group maintainer module. This method of grouping does not involved dynamic data, rather it is REAL data that is automagically managed by the autogroup module. However, it is configured similar to a dynlist group as it uses the labeledURI attribute to allow a "stored procedure" so to speak.

I too was disappointed when I realized the shortcomings of dynlist, and I should point out that autogroup is still somewhat experimental. Test thoroughly and report any bugs to OpenLDAP.

I hope this helps...

Max

这篇关于Openldap + dynlist + posixGroup的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！