Group lookups (groupOfNames)

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Tim <weirdit [at] gmail.com>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Group lookups (groupOfNames)
Date: Wed, 18 May 2011 15:54:21 +1000

Hi All, I've been trying for a few days to get this working without luck.

Running Ubuntu Natty as a test server with openldap 2.4.23, and
libnss-ldapd/nslcd/libpam-ldapd 0.7.13

I'm using rfc2307bis.ldif to attempt to have groups as "groupOfNames"
with posixGroup as an Ancillary object class.
So far, it appears to work partially. It retrieves the groups, just
not the members. I was originally trying libnss-ldap but not having
any luck with groups (even though there is a switch for rfc2307bis),
not even able to get the groups to show.

The contents of /etc/nslcd.conf are (with comments removed)

uid nslcd
gid nslcd
uri ldap://127.0.0.1/
base dc=plug,dc=org,dc=au
filter group (objectClass=posixGroup)
map group uniqueMember member

$ getent group|grep committee
committee:*:1006:


The relevant ldif for committee group
# committee, Groups, plug.org.au
objectClass: groupOfNames
objectClass: posixGroup
dn: cn=committee,ou=Groups,dc=plug,dc=org,dc=au
cn: committee
member: uidNumber=10030,ou=Users,dc=plug,dc=org,dc=au
member: uidNumber=10163,ou=Users,dc=plug,dc=org,dc=au
member: uidNumber=10048,ou=Users,dc=plug,dc=org,dc=au
member: uidNumber=10246,ou=Users,dc=plug,dc=org,dc=au
member: uidNumber=10062,ou=Users,dc=plug,dc=org,dc=au
member: uidNumber=10318,ou=Users,dc=plug,dc=org,dc=au
member: uidNumber=10189,ou=Users,dc=plug,dc=org,dc=au
member: uidNumber=10252,ou=Users,dc=plug,dc=org,dc=au
member: uidNumber=10254,ou=Users,dc=plug,dc=org,dc=au
gidNumber: 1006

I've not setup anything on the pam side yet, as I'm trying to just get
NSS working first. (So attempting to login as a LDAP user will
currently fail).

Any ideas what I'm missing? I watched the slapd debug logs and
realised it wasn't returning the member attr, which is how I
eventually worked out "map group uniqueMember member" should be
correct as it now returns the member attr. I'm guessing the problem is
now ether what I'm mapping it to, or the resolution of the dn to a
user (although in the logs I see no more ldap queries after it gets
the groups, so I'm assuming it's the mapping that's the problem).

If I'm using the wrong package (i.e. ldapd version doesn't support
this), I apologise in advance as I've found very little documentation
regarding this.

Tim

-- 
Timothy White - Somewhere in Australia
-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users

Group lookups (groupOfNames), Tim

Re: Group lookups (groupOfNames), Ryan Steele
- Re: Group lookups (groupOfNames), Tim
  - Re: Group lookups (groupOfNames), Tim
    - Re: Group lookups (groupOfNames), Arthur de Jong

Prev by Date: Re: nslcd starts failing logins after about an hour.
Next by Date: Re: Group lookups (groupOfNames)
Previous by thread: Re: Red Hat Enterprise 6 nslcd time out issue
Next by thread: Re: Group lookups (groupOfNames)