RSS feed

Re: groupOfNames not working

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: groupOfNames not working

On Wed, 2011-08-03 at 14:34 -0400, AWeber - Ryan Steele wrote:
> Both nss-pam-ldapd and PADL's nss-ldap look for group members stored in the
> 'uniqueMember' attribute by default.  I believe this is partly because
> uniqueMember values are of the same syntax as those in /etc/password; namely,
> UID's, not DN's.  However, groupOfNames stores group members in the 'member'
> attribute, whose values are DN formatted, as outlined in the RFC's.

A small clarification: nss-pam-ldapd supports two group member
  memberUid: values are usernames (uid)
  uniqueMember: values are DNs
The second attribute can be mapped to the member attribute when using

However, using the uniqueMember/member attribute has several downsides:
- for every group lookup an extra lookup needs to be done to find the
  username for each member [0]
- for every group membership lookup an extra query is required
- it is possible that the DN points to something that is not a valid
  user object
- it is not easily possible to add system users as LDAP group members
  (e.g. add user www-data to an LDAP group)

Using uniqueMember/member does allow you to define nested groups (one of
the member DN's could point to another object that also has member
attributes and so on). Some support for this is available in PADL's
nss_ldap but currently not in nslcd due to complexity of the group
membership lookup [1].

[0] nslcd takes some shortcuts here and caches these DN to uid lookups
    for 15 minutes to be able to support groups with 1000's of members

-- arthur - - --
To unsubscribe send an email to or see