RSS feed

Re: Automatic dn to uid mapping

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Automatic dn to uid mapping

On Wed, 2010-05-12 at 10:15 -0400, Ryan Steele wrote:
> I noticed that when I perform queries with nslcd (or
> nss-ldap/nss-ldapd, for that matter), if the attribute that represents
> membership to the group has a DN value, it seems to get automatically
> mapped to the UID corresponding to that DN.  I'm guessing that nslcd
> does an extra lookup when it encounters a DN value in a group
> membership attribute, to map that DN to its respective UID, but I'm
> not 100% sure.  Is that really how it works?

nss-pam-ldapd tries to translate a DN in a uniqueMember attribute to a
uid. If the DN is of the form uid=foobar,..... it parses it instead of
doing an LDAP lookup. If an LDAP lookup is needed it is cached for 15
minutes to improve performance (otherwise lookups with a lot of members
will get very slow).

The memberUid attribute, along with its working is described in RFC2307.
Use of the uniqueMember is described in RFC2307bis which got changed
into the member attribute in draft-howard-rfc2307bis (an Internet
Draft). RFC2307bis never ended up as a proper RFC so its use is likely
less widespread.

Note that to use the member attribute (instead of uniqueMember) in
nss-pam-ldapd you need to put this in nslcd.conf:
  map group uniqueMember member

-- arthur - - --
To unsubscribe send an email to or see