RSS feed

Re: groupOfNames not working

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: groupOfNames not working

Well, I don't know what your groups look like or what OS/distro you're on, so
this explanation is assuming your system looks like my Linux boxes.

Both nss-pam-ldapd and PADL's nss-ldap look for group members stored in the
'uniqueMember' attribute by default.  I believe this is partly because
uniqueMember values are of the same syntax as those in /etc/password; namely,
UID's, not DN's.  However, groupOfNames stores group members in the 'member'
attribute, whose values are DN formatted, as outlined in the RFC's.  Thus, your
system needs a way of mapping the DN-formatted group members to their
UID-formatted counterparts (by means of an extra LDAP lookup for each member).
That's what your new mapping does - I use the same mapping myself.

Thus, nslcd translates group members stored in entries like this:

ou: Groups
gidNumber: 8001
cn: foo
description: The foo department
member: uid=janedoe,ou=Users,dc=example,dc=com
member: uid=johndoe,ou=Users,dc=example,dc=com
objectClass: groupOfURLs
objectClass: posixGroup
objectClass: top

cn: test
objectClass: top
objectClass: groupOfNames
objectClass: posixGroup
member: uid=test,ou=Users,dc=aweber,dc=com
gidNumber: 4444

...into entries like this for your system:



Scott Classen wrote:
> Well It's working now, but I'm a bit unclear on the logic.
> When the following option is in my nslcd.conf file I get only a list of group 
> names returned when testing with the 'getent group' command.
> map group memberUid member
> When I change this to:
> map group uniqueMember member
> everything works as expected and 'getent group' returns the group names and 
> all members of that group.
> This seems odd to me since the posixGroup objectclass typically uses 
> memberUid not uniqueMember. The groupOfUniqueNames objectclass (which I am 
> NOT using) typically uses uniqueMember. I am/was trying to migrate from 
> posixGroup to groupOfNames therefore I was under the impression that I should 
> map memberUid to member NOT uniqueMember to member.
> The bottom line is that it is working now. In the course of my 
> troubleshooting I installed both version 0.7.13 and 0.8.3. Currently 0.8.3 is 
> installed. Are there any issues I should be aware of or amy reason I should 
> switch back to 0.7.13 ?
> Thanks
> On Aug 3, 2011, at 7:00 AM, AWeber - Ryan Steele wrote:
>> Scott,
>> It would help to know what your groups look like.  Another thing to check,
>> without needing to see your groups, is that the schema on the server and 
>> clients
>> match.  Also, make sure nscd isn't running unexpectedly; it's bitten more 
>> than a
>> few people in similar situations.
>> Cheers,
>> Ryan
>> Scott Classen wrote:
>>> Hello,
>>> I can't get nss-pam-ldapd to return members of a groupOfNames object
>>> 'getent group' returns a list of LDAP groups, but not the members
>>> group1:*:9120:
>>> group2:*:9121:
>>> group3:*:9122:
>>> etc, etc
>>> my LDAP groups are groupOfNames (structural object class) with
>>> posixGroup as an auxillary object class.
>>> I have added the following map to my nslcd.conf file:
>>> map group memberUid member
>>> I've tried compiling and installing nss-pam-ldapd versions 0.7.13 and
>>> 0.8.3 and neither one is working yet.
>>> Thanks for your help.
>>> Scott
To unsubscribe send an email to or see