[Mageia-sysadm] Dynlist and change on ldap

Michael scherer misc at zarb.org
Mon Apr 25 12:12:59 CEST 2011 

On Thu, Apr 21, 2011 at 10:09:34PM +0200, Michael Scherer wrote:
> Le jeudi 21 avril 2011 à 22:04 +0200, Michael Scherer a écrit :
> 
> > To use it, just add a group like this : 
> > 
> > cn=mga-test_dyn,ou=Group,dc=mageia,dc=org
> > cn: mga-test_dyn
> > objectClass: posixGroup
> > objectClass: groupOfURLs
> > gidNumber: 5013
> > memberURL:
> > ldap:///ou=People,dc=mageia,dc=org?dn?sub?(&(objectClass=posixAccount)(memberOf=cn=mga-council,ou=Group,dc=mageia,dc=org))
> > memberURL:
> > ldap:///ou=People,dc=mageia,dc=org?dn?sub?(&(objectClass=posixAccount)(memberOf=cn=mga-sysadmin,ou=Group,dc=mageia,dc=org))
> > 
> > This one will create a group with sysadmin and council member.
> > 
> > # getent group mga-test_dyn
> > mga-test_dyn:*:5013:misc,rda,boklm,tmb,ennael,dams,buchan,dmorgan,nanardon,colin,blino,pterjan
> > 
> > ( ok here, it doesn't work fully, wobo and trishf42 are missing but
> > since ennael and rda are not in sysadmin group, this kinda work, I will
> > look at this more closely, maybe a index issue, or memberOf not being
> > refreshed )
> 
> Ok as usual, I first say something stupid and then find the issue.
> 
> Of course, for this example, we should not add
> "(objectClass=posixAccount)" in the filter, as neither wobo or trishf42
> have a posixAccount :)

So I finally made the changes to ldap :
created a group called mga-shell_access
changed svn acl for that

the only issue that I faced was that some members ( ie all i18n and me ) were 
not able to use the svn, as "id $login" didn't show that they were in the 
group. I do not know how I solved ( in fact, it started to work once I added 
i18n to the test_dyn group I created to test everything ).

I suspect some strange ldap corruption ( since some groups were using duplicated GID )
since now everything except my account work. id do not show that I am in the mga-shell_access
group, but getent group show ( and I can access by ssh to svn.mageia.org ).

Besides doing a dump/reload of ldap, does someone has a proposal 
( I did db_recover and slapindex, just by pure cargo culting ) ?

-- 
Michael Scherer

More information about the Mageia-sysadm mailing list