Re: groupOfNames not working
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: groupOfNames not working
- From: AWeber - Ryan Steele <ryans [at] aweber.com>
- To: Scott Classen <sclassen [at] lbl.gov>
- Cc: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: groupOfNames not working
- Date: Wed, 03 Aug 2011 14:34:00 -0400
Well, I don't know what your groups look like or what OS/distro you're on, so
this explanation is assuming your system looks like my Linux boxes.
Both nss-pam-ldapd and PADL's nss-ldap look for group members stored in the
'uniqueMember' attribute by default. I believe this is partly because
uniqueMember values are of the same syntax as those in /etc/password; namely,
UID's, not DN's. However, groupOfNames stores group members in the 'member'
attribute, whose values are DN formatted, as outlined in the RFC's. Thus, your
system needs a way of mapping the DN-formatted group members to their
UID-formatted counterparts (by means of an extra LDAP lookup for each member).
That's what your new mapping does - I use the same mapping myself.
Thus, nslcd translates group members stored in entries like this:
cn=foo,ou=Groups,dc=example,dc=com
ou: Groups
gidNumber: 8001
cn: foo
description: The foo department
memberURL:
ldap:///ou=Users,dc=example,dc=com??sub?(&(objectClass=examplecomEmployee)(departmentName=foo))
member: uid=janedoe,ou=Users,dc=example,dc=com
member: uid=johndoe,ou=Users,dc=example,dc=com
objectClass: groupOfURLs
objectClass: posixGroup
objectClass: top
cn=test,ou=Groups,dc=aweber,dc=com
cn: test
objectClass: top
objectClass: groupOfNames
objectClass: posixGroup
member: uid=test,ou=Users,dc=aweber,dc=com
gidNumber: 4444
...into entries like this for your system:
foo:*:8001:janedoe,johndoe
test:*:4444:test
Cheers,
Ryan
Scott Classen wrote:
> Well It's working now, but I'm a bit unclear on the logic.
>
> When the following option is in my nslcd.conf file I get only a list of group
> names returned when testing with the 'getent group' command.
>
> map group memberUid member
>
> When I change this to:
>
> map group uniqueMember member
>
> everything works as expected and 'getent group' returns the group names and
> all members of that group.
>
> This seems odd to me since the posixGroup objectclass typically uses
> memberUid not uniqueMember. The groupOfUniqueNames objectclass (which I am
> NOT using) typically uses uniqueMember. I am/was trying to migrate from
> posixGroup to groupOfNames therefore I was under the impression that I should
> map memberUid to member NOT uniqueMember to member.
>
> The bottom line is that it is working now. In the course of my
> troubleshooting I installed both version 0.7.13 and 0.8.3. Currently 0.8.3 is
> installed. Are there any issues I should be aware of or amy reason I should
> switch back to 0.7.13 ?
>
> Thanks
>
>
> On Aug 3, 2011, at 7:00 AM, AWeber - Ryan Steele wrote:
>
>> Scott,
>>
>> It would help to know what your groups look like. Another thing to check,
>> without needing to see your groups, is that the schema on the server and
>> clients
>> match. Also, make sure nscd isn't running unexpectedly; it's bitten more
>> than a
>> few people in similar situations.
>>
>> Cheers,
>> Ryan
>>
>> Scott Classen wrote:
>>> Hello,
>>>
>>> I can't get nss-pam-ldapd to return members of a groupOfNames object
>>>
>>> 'getent group' returns a list of LDAP groups, but not the members
>>>
>>> group1:*:9120:
>>> group2:*:9121:
>>> group3:*:9122:
>>> etc, etc
>>>
>>> my LDAP groups are groupOfNames (structural object class) with
>>> posixGroup as an auxillary object class.
>>>
>>> I have added the following map to my nslcd.conf file:
>>>
>>> map group memberUid member
>>>
>>> I've tried compiling and installing nss-pam-ldapd versions 0.7.13 and
>>> 0.8.3 and neither one is working yet.
>>>
>>> Thanks for your help.
>>> Scott
>
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users
