RSS feed

Group lookups (groupOfNames)

[Date Prev][Date Next] [Thread Prev][Thread Next]

Group lookups (groupOfNames)

Hi All, I've been trying for a few days to get this working without luck.

Running Ubuntu Natty as a test server with openldap 2.4.23, and
libnss-ldapd/nslcd/libpam-ldapd 0.7.13

I'm using rfc2307bis.ldif to attempt to have groups as "groupOfNames"
with posixGroup as an Ancillary object class.
So far, it appears to work partially. It retrieves the groups, just
not the members. I was originally trying libnss-ldap but not having
any luck with groups (even though there is a switch for rfc2307bis),
not even able to get the groups to show.

The contents of /etc/nslcd.conf are (with comments removed)

uid nslcd
gid nslcd
uri ldap://
base dc=plug,dc=org,dc=au
filter group (objectClass=posixGroup)
map group uniqueMember member

$ getent group|grep committee

The relevant ldif for committee group
# committee, Groups,
objectClass: groupOfNames
objectClass: posixGroup
dn: cn=committee,ou=Groups,dc=plug,dc=org,dc=au
cn: committee
member: uidNumber=10030,ou=Users,dc=plug,dc=org,dc=au
member: uidNumber=10163,ou=Users,dc=plug,dc=org,dc=au
member: uidNumber=10048,ou=Users,dc=plug,dc=org,dc=au
member: uidNumber=10246,ou=Users,dc=plug,dc=org,dc=au
member: uidNumber=10062,ou=Users,dc=plug,dc=org,dc=au
member: uidNumber=10318,ou=Users,dc=plug,dc=org,dc=au
member: uidNumber=10189,ou=Users,dc=plug,dc=org,dc=au
member: uidNumber=10252,ou=Users,dc=plug,dc=org,dc=au
member: uidNumber=10254,ou=Users,dc=plug,dc=org,dc=au
gidNumber: 1006

I've not setup anything on the pam side yet, as I'm trying to just get
NSS working first. (So attempting to login as a LDAP user will
currently fail).

Any ideas what I'm missing? I watched the slapd debug logs and
realised it wasn't returning the member attr, which is how I
eventually worked out "map group uniqueMember member" should be
correct as it now returns the member attr. I'm guessing the problem is
now ether what I'm mapping it to, or the resolution of the dn to a
user (although in the logs I see no more ldap queries after it gets
the groups, so I'm assuming it's the mapping that's the problem).

If I'm using the wrong package (i.e. ldapd version doesn't support
this), I apologise in advance as I've found very little documentation
regarding this.


Timothy White - Somewhere in Australia
To unsubscribe send an email to or see