RSS feed

Re: Group lookups (groupOfNames)

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Group lookups (groupOfNames)

I'm not sure the best way to "present" the current schema, as it
appears ldif gets formatted horribly for long lines.
Here are the files as they come out of the
/etc/ldap/slapd.d/cn=config/cn=schema/ directory.

The rfc2307bis.schema file that I am using came from the gosa package.
(Had forgotten that earlier, so hope that's not the cause of my
problems!) I've uploaded it to so it's probably
easier that going through the ldif file.

I believe the relevant sections are.

objectclass ( NAME 'posixGroup' SUP top AUXILIARY
  DESC 'Abstraction of a group of accounts'
  MUST gidNumber
  MAY ( userPassword $ memberUid $
        description ) )

I've just noticed the following section.
## namedObject is needed for groups without members
objectclass ( NAME 'namedObject' SUP top
       STRUCTURAL MAY cn )

Which makes me wonder if I'm constructing my groups wrongly.

My groupOfNames comes from the core.schema that is shipped with the
openldap package.

objectclass ( NAME 'groupOfNames'
        DESC 'RFC2256: a group of names (DNs)'
        SUP top STRUCTURAL
        MUST ( member $ cn )
        MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) )

Does that help anyone to see what I need to change?



On 18 May 2011 23:21, Ryan Steele <> wrote:
> Tim wrote:
>> Hi All, I've been trying for a few days to get this working without luck.
>> Running Ubuntu Natty as a test server with openldap 2.4.23, and
>> libnss-ldapd/nslcd/libpam-ldapd 0.7.13
>> I'm using rfc2307bis.ldif to attempt to have groups as "groupOfNames"
>> with posixGroup as an Ancillary object class.
>> So far, it appears to work partially. It retrieves the groups, just
>> not the members. I was originally trying libnss-ldap but not having
>> any luck with groups (even though there is a switch for rfc2307bis),
>> not even able to get the groups to show.
> There are a few things that I have observed to cause this.  The first is 
> forgetting uniqueMember -> member mapping,
> which you appear to have taken care of.  The second is mismatched schema on 
> the LDAP server and the client systems.  The
> other is also schema related, and revolves around extending rfc2307bis such 
> that 'member' is in the MAY clause of the
> groupOfMembers objectclass.  Assuming the schema on the LDAP server and the 
> clients match, and given what you've
> mentioned, I would expect it is the latter.
> I think you may have a more recent version of rfc2307bis than I do, however, 
> so you may or may not be able to use my
> suggestion.  The one I've got doesn't have groupOfNames, but instead has an 
> extended groupOfMembers objectclass, as
> described above.  I guess we'd have to see the relevant objectclass from your 
> schema to be able to answer more concretely.
>> The contents of /etc/nslcd.conf are (with comments removed)
>> uid nslcd
>> gid nslcd
>> uri ldap://
>> base dc=plug,dc=org,dc=au
>> filter group (objectClass=posixGroup)
>> map group uniqueMember member
>> $ getent group|grep committee
>> committee:*:1006:
>> The relevant ldif for committee group
>> # committee, Groups,
>> objectClass: groupOfNames
>> objectClass: posixGroup
>> dn: cn=committee,ou=Groups,dc=plug,dc=org,dc=au
>> cn: committee
>> member: uidNumber=10030,ou=Users,dc=plug,dc=org,dc=au
>> member: uidNumber=10163,ou=Users,dc=plug,dc=org,dc=au
>> member: uidNumber=10048,ou=Users,dc=plug,dc=org,dc=au
>> member: uidNumber=10246,ou=Users,dc=plug,dc=org,dc=au
>> member: uidNumber=10062,ou=Users,dc=plug,dc=org,dc=au
>> member: uidNumber=10318,ou=Users,dc=plug,dc=org,dc=au
>> member: uidNumber=10189,ou=Users,dc=plug,dc=org,dc=au
>> member: uidNumber=10252,ou=Users,dc=plug,dc=org,dc=au
>> member: uidNumber=10254,ou=Users,dc=plug,dc=org,dc=au
>> gidNumber: 1006
>> I've not setup anything on the pam side yet, as I'm trying to just get
>> NSS working first. (So attempting to login as a LDAP user will
>> currently fail).
>> Any ideas what I'm missing? I watched the slapd debug logs and
>> realised it wasn't returning the member attr, which is how I
>> eventually worked out "map group uniqueMember member" should be
>> correct as it now returns the member attr. I'm guessing the problem is
>> now ether what I'm mapping it to, or the resolution of the dn to a
>> user (although in the logs I see no more ldap queries after it gets
>> the groups, so I'm assuming it's the mapping that's the problem).
>> If I'm using the wrong package (i.e. ldapd version doesn't support
>> this), I apologise in advance as I've found very little documentation
>> regarding this.
>> Tim

Timothy White - Somewhere in Australia
To unsubscribe send an email to or see