PAM doesn't retrieve secondary group when it is an aliased object
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
PAM doesn't retrieve secondary group when it is an aliased object
- From: postmaster [at] home108.com
- To: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: PAM doesn't retrieve secondary group when it is an aliased object
- Date: Wed, 13 Jul 2011 13:46:13 +0200
Hi everybody,
Under Debian Squeeze, I need to use Samba/PAM/LDAP authentication and
group mapping through dyngroups using:
slapd : 2.4.23-7.2
nslcd : 0.7.13
libpam-ldapd : 0.7.13
libnss-ldapd : 0.7.13
I added the rfc2307bis schema because I want to obtain a groupOfURLs as
structural objectclass and a posixGroup as auxiliary objectclass with a
gidNumber as attribute !
After a minimal population, I got this LDAP tree:
#####
# LDIF Export for dc=domain,dc=tld
# Server: My LDAP Server (localhost)
# Search Scope: sub
# Search Filter: (objectClass=*)
# Total Entries: 12
#
# Generated by phpLDAPadmin (http://phpldapadmin.sourceforge.net) on July
13, 2011 8:47 am
# Version: 1.2.0.5
version: 1
# Entry 1: dc=domain,dc=tld
dn: dc=domain,dc=tld
dc: domain
o: domain
objectclass: dcObject
objectclass: organization
# Entry 2: cn=NextFreeUnixId,dc=domain,dc=tld
dn: cn=NextFreeUnixId,dc=domain,dc=tld
cn: NextFreeUnixId
gidnumber: 1108
objectclass: inetOrgPerson
objectclass: sambaUnixIdPool
sn: NextFreeUnixId
uidnumber: 2086
# Entry 3: ou=computers,dc=domain,dc=tld
dn: ou=computers,dc=domain,dc=tld
objectclass: top
objectclass: organizationalUnit
ou: computers
# Entry 4: ou=groups,dc=domain,dc=tld
dn: ou=groups,dc=domain,dc=tld
objectclass: top
objectclass: organizationalUnit
ou: groups
# Entry 5: cn=peri,ou=groups,dc=domain,dc=tld
dn: cn=peri,ou=groups,dc=domain,dc=tld
cn: peri
gidnumber: 521
member: uid=abeaulieu,ou=peri,ou=dga1,ou=users,dc=domain,dc=tld
memberurl: ldap:///ou=peri,ou=dga1,ou=users,dc=domain,dc=tld??one?(uid=*)
objectclass: groupOfURLs
objectclass: posixGroup
# Entry 6: cn=scol,ou=groups,dc=domain,dc=tld
dn: cn=scol,ou=groups,dc=domain,dc=tld
cn: scol
gidnumber: 524
member: uid=abeaulieu,ou=scol,ou=dga1,ou=users,dc=domain,dc=tld
memberurl: ldap:///ou=scol,ou=dga1,ou=users,dc=domain,dc=tld??one?(uid=*)
objectclass: groupOfURLs
objectclass: top
objectclass: extensibleObject
objectclass: posixGroup
sambagrouptype: 2
sambasid: S-1-5-21-3628528233-1319900138-667723050-3165
# Entry 7: ou=users,dc=domain,dc=tld
dn: ou=users,dc=domain,dc=tld
objectclass: top
objectclass: organizationalUnit
ou: users
# Entry 8: ou=dga1,ou=users,dc=domain,dc=tld
dn: ou=dga1,ou=users,dc=domain,dc=tld
objectclass: top
objectclass: organizationalUnit
ou: dga1
# Entry 9: ou=peri,ou=dga1,ou=users,dc=domain,dc=tld
dn: ou=peri,ou=dga1,ou=users,dc=domain,dc=tld
objectclass: top
objectclass: organizationalUnit
ou: peri
# Entry 10: uid=abeaulieu,ou=peri,ou=dga1,ou=users,dc=domain,dc=tld
dn: uid=abeaulieu,ou=peri,ou=dga1,ou=users,dc=domain,dc=tld
aliasedobjectname: uid=abeaulieu,ou=scol,ou=dga1,ou=users,dc=domain,dc=tld
objectclass: alias
objectclass: top
objectclass: extensibleObject
uid: abeaulieu
# Entry 11: ou=scol,ou=dga1,ou=users,dc=domain,dc=tld
dn: ou=scol,ou=dga1,ou=users,dc=domain,dc=tld
objectclass: top
objectclass: organizationalUnit
ou: scol
# Entry 12: uid=abeaulieu,ou=scol,ou=dga1,ou=users,dc=domain,dc=tld
dn: uid=abeaulieu,ou=scol,ou=dga1,ou=users,dc=domain,dc=tld
cn: BEAULIEU Anne
description: Anne BEAULIEU
displayname: Anne BEAULIEU
gecos: Anne BEAULIEU
gidnumber: 524
givenname: Anne
homedirectory: /data/users/abeaulieu
loginshell: /bin/bash
mail: abeaulieu@domain.tld
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: shadowAccount
objectclass: sambaSamAccount
sambaacctflags: [U]
sambabadpasswordcount: 0
sambabadpasswordtime: 0
sambahomedrive: U:
sambahomepath: \\arwen\homes\abeaulieu
sambakickofftime: 2147483647
sambalmpassword: 01FC5A6BE7BC6929AAD3B435B51404EE
sambalogofftime: 2147483647
sambalogonscript: abeaulieu.bat
sambalogontime: 0
sambantpassword: 0CB6948805F797BF2A82807973B89537
sambapasswordhistory: 168DEEDA8D143CA27D33E12FF4CD81D211B01B0E4B8BD8E2868983
17AE93102D000
sambaprimarygroupsid: S-1-5-21-3628528233-1319900138-667723050-513
sambaprofilepath: \\arwen\profiles\abeaulieu
sambapwdcanchange: 0
sambapwdlastset: 1303395867
sambapwdmustchange: 1318947867
sambasid: S-1-5-21-3628528233-1319900138-667723050-5156
shadowlastchange: 15085
shadowmax: 180
sn: BEAULIEU
uid: abeaulieu
uidnumber: 2078
userpassword: {CRYPT}XdiWfno7Or4XA
#####
Everything seems to be OK, like:
$ getent group
...
peri:*:521:
scol:*:524:
$ getent passwd
...
abeaulieu:x:2078:524:Anne BEAULIEU:/data/users/abeaulieu:/bin/bash
$ getent shadow
...
abeaulieu:*:::180::::0
So I can authenticate the user abeaulieu without any problem !
I also can do that:
$ ldapsearch -h localhost -x -D "cn=admin,dc=domain,dc=tld" -w secret
gidnumber=521
# extended LDIF
#
# LDAPv3
# base <dc=domain,dc=tld> (default) with scope subtree
# filter: gidnumber=521
# requesting: ALL
#
# peri, groups, domain.tld
dn: cn=peri,ou=groups,dc=domain,dc=tld
gidNumber: 521
objectClass: groupOfURLs
objectClass: posixGroup
cn: peri
memberURL: ldap:///ou=peri,ou=dga1,ou=users,dc=domain,dc=tld??one?(uid=*)
member: uid=abeaulieu,ou=peri,ou=dga1,ou=users,dc=domain,dc=tld
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Or:
ldapsearch -h localhost -x -D "cn=admin,dc=domain,dc=tld" -w secret
uid=abeaulieu
# extended LDIF
#
# LDAPv3
# base <dc=domain,dc=tld> (default) with scope subtree
# filter: uid=abeaulieu
# requesting: ALL
#
# abeaulieu, peri, dga1, users, domain.tld
dn: uid=abeaulieu,ou=peri,ou=dga1,ou=users,dc=domain,dc=tld
uid: abeaulieu
objectClass: alias
objectClass: top
objectClass: extensibleObject
aliasedObjectName: uid=abeaulieu,ou=scol,ou=dga1,ou=users,dc=domain,dc=tld
# abeaulieu, scol, dga1, users, domain.tld
dn: uid=abeaulieu,ou=scol,ou=dga1,ou=users,dc=domain,dc=tld
sambaLMPassword: 01FC5A6BE7BC6929AAD3B435B51404EE
sambaPrimaryGroupSID: S-1-5-21-3628528233-1319900138-667723050-513
displayName: Anne BEAULIEU
givenName: Anne
sambaLogonScript: abeaulieu.bat
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
shadowLastChange: 15085
userPassword:: e0NSWVBUfVg1aVdIbm83VXI0WEE=
sambaHomeDrive: U:
sambaLogonTime: 0
sambaBadPasswordTime: 0
uid: abeaulieu
uidNumber: 2078
cn: BEAULIEU Anne
sambaLogoffTime: 2147483647
sambaPwdLastSet: 1303395867
sambaAcctFlags: [U]
loginShell: /bin/bash
sambaBadPasswordCount: 0
sambaProfilePath: \\arwen\profiles\abeaulieu
gidNumber: 524
shadowMax: 180
sambaPwdMustChange: 1318947867
sambaSID: S-1-5-21-3628528233-1319900138-667723050-5156
gecos: Anne BEAULIEU
sambaNTPassword: 0CB6948805F797BF2A82807973B89537
sambaPwdCanChange: 0
description: Anne BEAULIEU
homeDirectory: /data/users/abeaulieu
sambaKickoffTime: 2147483647
sn: BEAULIEU
sambaHomePath: \\arwen\homes\abeaulieu
sambaPasswordHistory:
168DEEDA8D143CA27D33E12FF4CD81D211B01B0E4B8BD8E286898317
AE93102D000
mail: abeaulieu@domain.tld
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
... So I rightly obtain the alias !
But when I try:
$ groups abeaulieu
abeaulieu : scol
I don't retrieve the secondary group... which is the alias ???
Any idea ?
Thank you for all your suggestions.
-------------------------------------
Camille PREVOST - A Debian enthusiast
#####
There are my main config file's directives:
-------------------------------------------
##### /etc/ldap/slapd.conf :
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/rfc2307bis.schema
include /etc/ldap/schema/samba.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/dyngroup.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
modulepath /usr/lib/ldap/
moduleload back_bdb
moduleload memberof.la
moduleload dynlist.so
moduleload autogroup.so
allow bind_v2
database bdb
directory /var/lib/ldap
suffix "dc=domain,dc=tld"
rootdn "cn=admin,dc=domain,dc=tld"
rootpw secret
loglevel 256
overlay dynlist
overlay autogroup
autogroup-attrset posixGroup memberURL uidnumber
access to
attrs=userPassword,shadowLastChange,sambaLMPassword,sambaNTPassword,sambaPasswordHistory
by anonymous auth
by self write
by * none
access to dn.base="" by * read
access to *
by * read
cachesize 100000
index objectClass pres,eq
index cn,sn,uid,displayName pres,sub,eq
index uidNumber,gidNumber eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
index memberURL pres,eq
index memberUid pres,eq
index uniqueMember pres,eq
##### /etc/nsswitch.conf :
passwd: files ldap
group: files ldap
shadow: files ldap
aliases: files ldap
hosts: files dns ldap
networks: files
services: files db
protocols: files db
rpc: files db
ethers: files db
netgroup: files nis
##### /etc/nslcd.conf :
uid nslcd
gid nslcd
uri ldap://127.0.0.1/
base dc=domain,dc=tld
ldap_version 3
scope sub
#####
Everything is correctly configured in /etc/pam.d/common-* and I assumed
Samba config files are not needed to find what is wrong...
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users
- PAM doesn't retrieve secondary group when it is an aliased object,
postmaster