We help IT Professionals succeed at work.

How can I create and test Nested groups using Openldap?

DanRaposo
DanRaposo asked
on
3,313 Views
Last Modified: 2013-12-19
I am trying to use phpldapadmin to create a nested group but it doesn't seem to work. How can I test it?  I created a posix group and added a memberUID of a user and another of our main group "users"  but I can't access a folder that I protected with 770 permissions.    even though users is in the group "limited"
I am also not sure how to test it using ldap search.

Additionally ... do I need to add this group to samba?  If so what is the preferred method for that?
Comment
Watch Question

Artysystem administrator
Top Expert 2007

Commented:
>How can I create and test Nested groups using Openldap?

You cannot.

>  I am trying to use phpldapadmin to create a nested group but it doesn't seem to work.

I don't know what  is phpldapadmin, but even if you create a group which is a member of another group, it will not work in most LDAP aware client implementations (including samba).
 
What you can do is to add a user to different groups. And if any of that groups has 'RWX' group privilege on any file/directory, the user can also access it.

Author

Commented:
Then how do I limit access to user a while granting access to group B?

For instance I have a directory "Dir1" with 770 permissions
Owner is "creator"  Group is "users"

User A needs access to "Dir1" but not to "Dir2" which has same permissions

Group "Users" needs access to all the dirs.  User A just 1.
Artysystem administrator
Top Expert 2007

Commented:
> User A needs access to "Dir1" but not to "Dir2" which has same permissions

If we say about _standard_ unix file/directory permissions, there is NO WAY to do so.
The same permissions on files ==  the same rights for any specific user.

All permissions are resource centric.

Everything else depends on underlying filesystem. If it allows ACL, you can do it by defining different ACL entries for Dir1 and Dir2 which have the same unix permissions.

NTFS, most UFS, EXT2FS supports ACL. If your share is located on some of these FS, you can setup it in a way you have asked for.

read the manuals:
man setfacl
man getfacl

BTW you can't satisfy your requirements (having 2 dirs with equal permissions, but different  rights for the same user) with nested groups.

Author

Commented:
Nopius .. You said  BTW you can't satisfy your requirements (having 2 dirs with equal permissions, but different  rights for the same user) with nested groups."

Why not

Why can't I have rwx for owner rwx for group and no access ofr everyone else and set it up like this

770  Dir1  Owner is UserX  Group is "Limited"
770 Dir2   Owner is UserX  Group is "Users"
UserA Is in Group Limited but not group Users
User B-Z are in Users.  Users is also a member of limited.
That would allow all users access to both dirs.  It would also restrict UserA from Dir2 since he is not a member of users.
Artysystem administrator
Top Expert 2007

Commented:
> 770  Dir1  Owner is UserX  Group is "Limited"
> 770 Dir2   Owner is UserX  Group is "Users"

That's differs from what you said before:

> For instance I have a directory "Dir1" with 770 permissions
> Owner is "creator"  Group is "users"
> User A needs access to "Dir1" but not to "Dir2" which has same permissions

The same permissions means the same access rights for the same group/user. But in your latest example groups on Dirs are different.

> UserA Is in Group Limited but not group Users
> User B-Z are in Users.  Users is also a member of limited.

You can't include group as a member of another group.
But you can include UserA in group 'Limited' as primary group and
include users B-Z in group 'Users' as primary and in group 'Limited' as secondary group. Each user can belong to up to 16 secondary groups. The result will be the same and this is the only possible way.

Author

Commented:
Sorry for not being clear in my first question.  I knew what I meant ;-)

What is really painful about that is that I would have to make the changes to both groups every time, I added or removed a user.   This would easily get out of whack.   That is really the only way?

Not too mention ... how would I add all users to a secondary group without doing it one by one?
Artysystem administrator
Top Expert 2007

Commented:
> That is really the only way?

With posix/unix groups - yes.

> how would I add all users to a secondary group without doing it one by one?

No way. If you have thousands of users, you may write a script which will add them one-by-one.
Artysystem administrator
Top Expert 2007

Commented:
that's more 'authoritive' answer:

http://www.openldap.org/lists/openldap-software/200207/msg00173.html

believe me, standardly only users may be members of groups, otherwise 'nss' clients will not understand your ldap schema.
system administrator
Top Expert 2007
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Nopius .. thanks for your help.  On an aside do you think this should be changed?  It seems to me to be somethign that would be very useful, but I do not know how difficult it would be to implement.
Artysystem administrator
Top Expert 2007

Commented:
Thank you for points, DanRaposo.

> On an aside do you think this should be changed?

I'm not so sure.

The goal of posixGroup LDAP schema was to reflect Posix group membership.
Currently POSIX standard don't allow nested groups and 90% of all operating systems are POSIX compliant. So, changing this behavior would require to:
1) change POSIX standard (or issue a new version)
2) change all operating systems to be compliant to new POSIX standard
3) change all related software (including LDAP, nss, 3rd party libraries) to reflect new standard changes.

You understand that this would become a nightmare.

There are another ACL implementations (non POSIX) that allows nested groups/resources/privileges, but using them requires also writing your own applications. As an example, Zend_ACL (PHP based) implementation allows nested groups and resources.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.