lists.arthurdejong.org
RSS feed

libpam-ldapd not looking for groups?

[Date Prev][Date Next] [Thread Prev][Thread Next]

libpam-ldapd not looking for groups?

Hi,

I'm migrating from libpam-ldap to libpam-ldapd on Ubuntu 10.04 clients. I'm 
having some trouble gathering the secondary groups from LDAP.

On libpam-ldap, I had this on the /etc/ldap.conf file:

nss_schema rfc2307bis
nss_base_passwd         ou=People,ou=CITIUS,dc=inv,dc=usc,dc=es
nss_base_shadow         ou=People,ou=CITIUS,dc=inv,dc=usc,dc=es
nss_base_group          ou=Groups,ou=CITIUS,dc=inv,dc=usc,dc=es
nss_map_attribute       uniqueMember  member

The mapping is there because I'm using groupOfNames instead of 
groupOfUniqueNames LDAP class for groups, so the attribute naming the members 
is named member instead of uniqueMember.

Now, I want to do the same using libpam-ldapd but I can't get it to work. 
Here's the relevant part of my /etc/nslcd.conf:

base passwd         ou=People,ou=CITIUS,dc=inv,dc=usc,dc=es
base shadow         ou=People,ou=CITIUS,dc=inv,dc=usc,dc=es
base group          ou=Groups,ou=CITIUS,dc=inv,dc=usc,dc=es
map group uniqueMember member

And this is the debug output from nslcd, when a user is authenticated:

nslcd: [8b4567] DEBUG: connection from pid=12090 uid=0 gid=0
nslcd: [8b4567] DEBUG: nslcd_passwd_byuid(4004)
nslcd: [8b4567] DEBUG: myldap_search(base="ou=People,ou=CITIUS,dc=inv,dc=usc,dc=es", 
filter="(&(objectClass=posixAccount)(uidNumber=4004))")
nslcd: [8b4567] DEBUG: ldap_initialize(ldap://172.16.54.31/)
nslcd: [8b4567] DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,10)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,10)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,10)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] DEBUG: 
ldap_simple_bind_s("uid=ubuntu,ou=Applications,ou=CITIUS,dc=inv,dc=usc,dc=es","*****") 
(uri="ldap://172.16.54.31/";)
nslcd: [8b4567] connected to LDAP server ldap://172.16.54.31/
nslcd: [8b4567] DEBUG: ldap_result(): end of results
nslcd: [7b23c6] DEBUG: connection from pid=15906 uid=0 gid=2000
nslcd: [7b23c6] DEBUG: nslcd_pam_authc("jorge.suarez","","su","***")
nslcd: [7b23c6] DEBUG: myldap_search(base="ou=People,ou=CITIUS,dc=inv,dc=usc,dc=es", 
filter="(&(objectClass=posixAccount)(uid=jorge.suarez))")
nslcd: [7b23c6] DEBUG: ldap_initialize(ldap://172.16.54.31/)
nslcd: [7b23c6] DEBUG: ldap_set_rebind_proc()
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,10)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,10)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,10)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [7b23c6] DEBUG: 
ldap_simple_bind_s("uid=ubuntu,ou=Applications,ou=CITIUS,dc=inv,dc=usc,dc=es","*****") 
(uri="ldap://172.16.54.31/";)
nslcd: [7b23c6] connected to LDAP server ldap://172.16.54.31/
nslcd: [7b23c6] DEBUG: ldap_initialize(ldap://172.16.54.31/)
nslcd: [7b23c6] DEBUG: ldap_set_rebind_proc()
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,10)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,10)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,10)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [7b23c6] DEBUG: 
ldap_simple_bind_s("uid=jorge.suarez,ou=People,ou=CITIUS,dc=inv,dc=usc,dc=es","*****") 
(uri="ldap://172.16.54.31/";)
nslcd: [7b23c6] connected to LDAP server ldap://172.16.54.31/
nslcd: [7b23c6] DEBUG: 
myldap_search(base="uid=jorge.suarez,ou=People,ou=CITIUS,dc=inv,dc=usc,dc=es", 
filter="(objectClass=posixAccount)")
nslcd: [7b23c6] DEBUG: ldap_unbind()
nslcd: [3c9869] DEBUG: connection from pid=15906 uid=0 gid=2000
nslcd: [3c9869] DEBUG: 
nslcd_pam_sess_o("jorge.suarez","uid=jorge.suarez,ou=People,ou=CITIUS,dc=inv,dc=usc,dc=es","su","/dev/pts/7","","jorge.suarez")

It seems to me that it won't even try to look for groups. What I am doing 
wrong? I can't see anything relevant to my problem information on the docs. I'm 
probably not understanding how the map option works.

The LDAP server is a Centos Directory Server. This is the output from 
ldapsearch on a group:

# proyecto-innovacion, Groups, CITIUS, inv.usc.es
dn: cn=proyecto-innovacion,ou=Groups,ou=CITIUS,dc=inv,dc=usc,dc=es
member: uid=diego,ou=People,ou=CITIUS,dc=inv,dc=usc,dc=es
member: uid=felix,ou=People,ou=CITIUS,dc=inv,dc=usc,dc=es
member: uid=jorge.suarez,ou=People,ou=CITIUS,dc=inv,dc=usc,dc=es
member: uid=maria,ou=People,ou=CITIUS,dc=inv,dc=usc,dc=es
objectClass: top
objectClass: groupOfNames
objectClass: posixgroup
objectClass: sambaGroupMapping
cn: proyecto-innovacion
gidNumber: 3001
displayName: proyecto-innovacion

Thank you,

Note: I've posted this to serverfault, but then I realized this mailing list. 
If you want, take a look there: 
http://serverfault.com/questions/422422/libpam-ldapd-not-looking-for-secondary-groups

--
Jorge Suárez de Lis
Unidade de Xestión de Infraestruturas TIC
Centro de Investigación en Tecnoloxías da Información
Teléfono: 8818 13568
Correo: citius.tic@usc.es

Attachment: jorge_suarez.vcf
Description: Vcard

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/