Re: Group lookups (groupOfNames)
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: Group lookups (groupOfNames)
- From: Ryan Steele <ryans [at] aweber.com>
- To: Tim <weirdit [at] gmail.com>
- Cc: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: Group lookups (groupOfNames)
- Date: Wed, 18 May 2011 09:21:36 -0400
Tim wrote:
> Hi All, I've been trying for a few days to get this working without luck.
>
> Running Ubuntu Natty as a test server with openldap 2.4.23, and
> libnss-ldapd/nslcd/libpam-ldapd 0.7.13
>
> I'm using rfc2307bis.ldif to attempt to have groups as "groupOfNames"
> with posixGroup as an Ancillary object class.
> So far, it appears to work partially. It retrieves the groups, just
> not the members. I was originally trying libnss-ldap but not having
> any luck with groups (even though there is a switch for rfc2307bis),
> not even able to get the groups to show.
There are a few things that I have observed to cause this. The first is
forgetting uniqueMember -> member mapping,
which you appear to have taken care of. The second is mismatched schema on the
LDAP server and the client systems. The
other is also schema related, and revolves around extending rfc2307bis such
that 'member' is in the MAY clause of the
groupOfMembers objectclass. Assuming the schema on the LDAP server and the
clients match, and given what you've
mentioned, I would expect it is the latter.
I think you may have a more recent version of rfc2307bis than I do, however, so
you may or may not be able to use my
suggestion. The one I've got doesn't have groupOfNames, but instead has an
extended groupOfMembers objectclass, as
described above. I guess we'd have to see the relevant objectclass from your
schema to be able to answer more concretely.
>
> The contents of /etc/nslcd.conf are (with comments removed)
>
> uid nslcd
> gid nslcd
> uri ldap://127.0.0.1/
> base dc=plug,dc=org,dc=au
> filter group (objectClass=posixGroup)
> map group uniqueMember member
>
> $ getent group|grep committee
> committee:*:1006:
>
>
> The relevant ldif for committee group
> # committee, Groups, plug.org.au
> objectClass: groupOfNames
> objectClass: posixGroup
> dn: cn=committee,ou=Groups,dc=plug,dc=org,dc=au
> cn: committee
> member: uidNumber=10030,ou=Users,dc=plug,dc=org,dc=au
> member: uidNumber=10163,ou=Users,dc=plug,dc=org,dc=au
> member: uidNumber=10048,ou=Users,dc=plug,dc=org,dc=au
> member: uidNumber=10246,ou=Users,dc=plug,dc=org,dc=au
> member: uidNumber=10062,ou=Users,dc=plug,dc=org,dc=au
> member: uidNumber=10318,ou=Users,dc=plug,dc=org,dc=au
> member: uidNumber=10189,ou=Users,dc=plug,dc=org,dc=au
> member: uidNumber=10252,ou=Users,dc=plug,dc=org,dc=au
> member: uidNumber=10254,ou=Users,dc=plug,dc=org,dc=au
> gidNumber: 1006
>
> I've not setup anything on the pam side yet, as I'm trying to just get
> NSS working first. (So attempting to login as a LDAP user will
> currently fail).
>
> Any ideas what I'm missing? I watched the slapd debug logs and
> realised it wasn't returning the member attr, which is how I
> eventually worked out "map group uniqueMember member" should be
> correct as it now returns the member attr. I'm guessing the problem is
> now ether what I'm mapping it to, or the resolution of the dn to a
> user (although in the logs I see no more ldap queries after it gets
> the groups, so I'm assuming it's the mapping that's the problem).
>
> If I'm using the wrong package (i.e. ldapd version doesn't support
> this), I apologise in advance as I've found very little documentation
> regarding this.
>
> Tim
>
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users
