RSS feed

Re: Mapping attributes in nslcd.conf

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Mapping attributes in nslcd.conf

RFC 2307 doesn't specify a "gid" attribute for posixGroups (which is what the group map is based on, according to the man page). The string representation of a group name is stored in the cn attribute, so you'll need to try to map that. That being said, I don't think the uid is available at the time you're mapping the group, so I'm not sure you can rewrite based on that. (Group lookup is a separate operation from user lookup.)

You *can* create local groups in /etc/group. If your LDAP directory doesn't contain a gidNumber entry, you can map to be the same as their uidNumber that via:

map passwd gidNumber "$uidNumber"

Alternatively, you could place all users in the group "users" (100 on Ubuntu) via:

map passwd gidNumber "100"

(This is all untested, but is my best understanding.)

David Tomaschik, RHCE, LPIC-1
IT Systems Support Professional IV
Kennesaw State University
Online Development Group

On 9/9/10 12:30 PM, Greg Newton wrote:
Thanks for the quick response David.
If I understand you correctly, the answer is that there is nothing in
the local machine's /etc/group file that can be used to create a home
group for ldap users, and "getent group<gidNumber>" returns nothing,
which doesn't surprise me; as I said, those attributes are not populated
in ldap.
So, I *think* I'm still left with using the map feature in nslcd.conf to
"create" a gid from the ldap-returned uid.

Do you if I need to be able to read an attribute from ldap before I can
change it?

In my configuration, we don't have a gid value for users either. The
string representation of their group is obtained by the system looking
up the gid (either in /etc/group or via LDAP, if you're using LDAP for
groups). Try using "getent group<gidNumber>" to see if your host is
properly looking up groups via LDAP.
To unsubscribe send an email to or see
To unsubscribe send an email to or see