Re: Mapping attributes in nslcd.conf
[Date Prev][Date Next] [Thread Prev][Thread Next]Re: Mapping attributes in nslcd.conf
- From: David Tomaschik <dtomasch [at] kennesaw.edu>
- To: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: Mapping attributes in nslcd.conf
- Date: Thu, 09 Sep 2010 12:47:32 -0400
RFC 2307 doesn't specify a "gid" attribute for posixGroups (which is what the group map is based on, according to the man page). The string representation of a group name is stored in the cn attribute, so you'll need to try to map that. That being said, I don't think the uid is available at the time you're mapping the group, so I'm not sure you can rewrite based on that. (Group lookup is a separate operation from user lookup.)
You *can* create local groups in /etc/group. If your LDAP directory doesn't contain a gidNumber entry, you can map to be the same as their uidNumber that via:
map passwd gidNumber "$uidNumber"Alternatively, you could place all users in the group "users" (100 on Ubuntu) via:
map passwd gidNumber "100" (This is all untested, but is my best understanding.) David Tomaschik, RHCE, LPIC-1 IT Systems Support Professional IV Kennesaw State University Online Development Group dtomasch@kennesaw.edu On 9/9/10 12:30 PM, Greg Newton wrote:
Thanks for the quick response David. If I understand you correctly, the answer is that there is nothing in the local machine's /etc/group file that can be used to create a home group for ldap users, and "getent group<gidNumber>" returns nothing, which doesn't surprise me; as I said, those attributes are not populated in ldap. So, I *think* I'm still left with using the map feature in nslcd.conf to "create" a gid from the ldap-returned uid. Do you if I need to be able to read an attribute from ldap before I can change it?In my configuration, we don't have a gid value for users either. The string representation of their group is obtained by the system looking up the gid (either in /etc/group or via LDAP, if you're using LDAP for groups). Try using "getent group<gidNumber>" to see if your host is properly looking up groups via LDAP.-- To unsubscribe send an email to nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see http://lists.arthurdejong.org/nss-pam-ldapd-users
-- To unsubscribe send an email to nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see http://lists.arthurdejong.org/nss-pam-ldapd-users
- Mapping attributes in nslcd.conf,
Greg Newton
- Re: Mapping attributes in nslcd.conf,
David Tomaschik
- Re: Mapping attributes in nslcd.conf,
Greg Newton
- Re: Mapping attributes in nslcd.conf, David Tomaschik
- Re: Mapping attributes in nslcd.conf,
Greg Newton
- Re: Mapping attributes in nslcd.conf,
David Tomaschik
- Prev by Date: Re: Mapping attributes in nslcd.conf
- Next by Date: MIT Kerberos Support
- Previous by thread: Re: Mapping attributes in nslcd.conf
- Next by thread: MIT Kerberos Support