Re: Nested groups missing/groups without members
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: Nested groups missing/groups without members
- From: "Martijn van Brummelen" <martijn [at] brumit.nl>
- To: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: Nested groups missing/groups without members
- Date: Thu, 25 Jul 2013 10:40:58 +0200
> On Wed, 2013-07-24 at 16:40 +0200, Martijn van Brummelen wrote:
>> Im testing libpam-ldapd(0.9.0-2) from Debian experimental on a Wheezy
>> machine.
>>
>> I am comparing results of one machine(s005) running Squeeze
>> libpam-ldap working as aspected, with one machine(s006) running wheezy
>> libpam-ldapd not working as expected.
>
> The libnss-ldap/libnss-ldapd/nslcd versions used are more relevant for
> the getent output and group member lookups. Is s005 using libnss-ldapd
> 0.7.15+squeeze4 or libnss-ldap 264-2.2? Is s006 using libnss-ldapd and
> nslcd 0.9.0-2?
s005(squeeze)
libnss-ldap 264-2.2
nscd 2.11.3-4
s006
libnss-ldapd:amd64 0.9.0-2
nslcd 0.9.0-2
>> Resolving groups does not work as expected.
>> A getent group | wc -l
>> s005 shows 8185 groups
>> S006 shows 7300 groups
>> All groups appear without any members on s006.
>
> Which group membership attribute are you using in LDAP? nslcd 0.9
> expects the member attribute to contain DN values that point to users or
> other groups. Also nested groups are only processed if the
> nss_nested_groups option is set (and might be slightly different from
> nss_ldap). The memberUid attribute can contain bare usernames.
Membership is stored in attribute uniquemember:
uid=foobar,OU=person,ou=Users,dc=example,dc=local
I enabled nested group in the config.
>> If needed I can provide debugging information and config files.
>
> More information on your LDAP schema could be helpful and also which
> characteristics the missing groups have. If you made any customisations
> to either nslcd.conf or libnss-ldap.conf that would also be helpful.
What information do you need about the LDAP schema?
getent group looks like:
on s005 somename - something:*:69119:user1,user2,user3,user4
on s006 somename - something:*:69119:
See http://pastebin.com/UYz0hQty for nslcd.conf
Regards,
Martijn van Brummelen
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/
