Automatic dn to uid mapping

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Ryan Steele <ryans [at] aweber.com>
To: nss-pam-ldapd-users <nss-pam-ldapd-users [at] lists.arthurdejong.org>
Subject: Automatic dn to uid mapping
Date: Wed, 12 May 2010 10:15:53 -0400

I noticed that when I perform queries with nslcd (or nss-ldap/nss-ldapd, for 
that matter), if the attribute that
represents membership to the group has a DN value, it seems to get 
automatically mapped to the UID corresponding to that
DN.  I'm guessing that nslcd does an extra lookup when it encounters a DN value 
in a group membership attribute, to map
that DN to its respective UID, but I'm not 100% sure.  Is that really how it 
works?

For example, if I have the following group (yes, it is dynamically constructed 
by the autogroup overlay):

dn: cn=sysadmins,ou=Groups,dc=example,dc=com
ou: Groups
gidNumber: 5000
cn: sysadmins
objectClass: groupOfURLs
objectClass: top
objectClass: posixGroup
description: The sysadmin team members
memberURL: 
ldap:///ou=Users,dc=example,dc=com?dn?sub?(&(objectClass=exampleComEmplo
 yee)(departmentName=sysadmins))
member: uid=johndoe,ou=Users,dc=example,dc=com
member: uid=janedoe,ou=Users,dc=example,dc=com
member: uid=joedoe,ou=Users,dc=example,dc=com


...and I perform a 'getent group sysadmins' on the Linux boxes, I get:


sysadmins:*:4001:benk,jordanb,ryans


I am asking because, and this is slightly off-topic so I don't expect this to 
be addressed, my Mac OS X clients don't
seem to make this inherent mapping or extra lookup, as can be seen below when 
querying the directory with dscl, using
the command 'dscl /LDAPv3/ldapmaster.colo.lair -read /Groups/sysadmins/ Member':

Member: uid=johndoe,ou=Users,dc=example,dc=com 
uid=janedoe,ou=Users,dc=example,dc=com uid=joedoe,ou=Users,dc=example,dc=com


Obviously, this should read 'Member: johndoe janedoe joedoe', but since no 
second lookup appears to happen, that's not
the case.  I'm just trying to ascertain whether or not this behavior (the 
mapping, that is) is strictly an
nslcd/nss-ldapd/nss-ldap feature, or whether there's something else I'm not 
accounting for.


Thanks!

-Ryan

--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users

Automatic dn to uid mapping, Ryan Steele

Re: Automatic dn to uid mapping, Arthur de Jong

Prev by Date: Re: sshd/pam access for users in ldap - "Access denied for this service"
Next by Date: Re: Automatic dn to uid mapping
Previous by thread: Re: nss-pam-ldapd commit: r1085 - nss-pam-ldapd/nslcd
Next by thread: Re: Automatic dn to uid mapping