RSS feed

Re: Group lookups (groupOfNames)

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Group lookups (groupOfNames)

Tim wrote:
> Hi All, I've been trying for a few days to get this working without luck.
> Running Ubuntu Natty as a test server with openldap 2.4.23, and
> libnss-ldapd/nslcd/libpam-ldapd 0.7.13
> I'm using rfc2307bis.ldif to attempt to have groups as "groupOfNames"
> with posixGroup as an Ancillary object class.
> So far, it appears to work partially. It retrieves the groups, just
> not the members. I was originally trying libnss-ldap but not having
> any luck with groups (even though there is a switch for rfc2307bis),
> not even able to get the groups to show.

There are a few things that I have observed to cause this.  The first is 
forgetting uniqueMember -> member mapping,
which you appear to have taken care of.  The second is mismatched schema on the 
LDAP server and the client systems.  The
other is also schema related, and revolves around extending rfc2307bis such 
that 'member' is in the MAY clause of the
groupOfMembers objectclass.  Assuming the schema on the LDAP server and the 
clients match, and given what you've
mentioned, I would expect it is the latter.

I think you may have a more recent version of rfc2307bis than I do, however, so 
you may or may not be able to use my
suggestion.  The one I've got doesn't have groupOfNames, but instead has an 
extended groupOfMembers objectclass, as
described above.  I guess we'd have to see the relevant objectclass from your 
schema to be able to answer more concretely.

> The contents of /etc/nslcd.conf are (with comments removed)
> uid nslcd
> gid nslcd
> uri ldap://
> base dc=plug,dc=org,dc=au
> filter group (objectClass=posixGroup)
> map group uniqueMember member
> $ getent group|grep committee
> committee:*:1006:
> The relevant ldif for committee group
> # committee, Groups,
> objectClass: groupOfNames
> objectClass: posixGroup
> dn: cn=committee,ou=Groups,dc=plug,dc=org,dc=au
> cn: committee
> member: uidNumber=10030,ou=Users,dc=plug,dc=org,dc=au
> member: uidNumber=10163,ou=Users,dc=plug,dc=org,dc=au
> member: uidNumber=10048,ou=Users,dc=plug,dc=org,dc=au
> member: uidNumber=10246,ou=Users,dc=plug,dc=org,dc=au
> member: uidNumber=10062,ou=Users,dc=plug,dc=org,dc=au
> member: uidNumber=10318,ou=Users,dc=plug,dc=org,dc=au
> member: uidNumber=10189,ou=Users,dc=plug,dc=org,dc=au
> member: uidNumber=10252,ou=Users,dc=plug,dc=org,dc=au
> member: uidNumber=10254,ou=Users,dc=plug,dc=org,dc=au
> gidNumber: 1006
> I've not setup anything on the pam side yet, as I'm trying to just get
> NSS working first. (So attempting to login as a LDAP user will
> currently fail).
> Any ideas what I'm missing? I watched the slapd debug logs and
> realised it wasn't returning the member attr, which is how I
> eventually worked out "map group uniqueMember member" should be
> correct as it now returns the member attr. I'm guessing the problem is
> now ether what I'm mapping it to, or the resolution of the dn to a
> user (although in the logs I see no more ldap queries after it gets
> the groups, so I'm assuming it's the mapping that's the problem).
> If I'm using the wrong package (i.e. ldapd version doesn't support
> this), I apologise in advance as I've found very little documentation
> regarding this.
> Tim
To unsubscribe send an email to or see