RSS feed

Re: Nested groups missing/groups without members

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Nested groups missing/groups without members

On Wed, 2013-07-24 at 16:40 +0200, Martijn van Brummelen wrote:
> Im testing libpam-ldapd(0.9.0-2) from Debian experimental on a Wheezy
> machine.
> I am comparing results of one machine(s005) running Squeeze
> libpam-ldap working as aspected, with one machine(s006) running wheezy
> libpam-ldapd not working as expected.

The libnss-ldap/libnss-ldapd/nslcd versions used are more relevant for
the getent output and group member lookups. Is s005 using libnss-ldapd
0.7.15+squeeze4 or libnss-ldap 264-2.2? Is s006 using libnss-ldapd and
nslcd 0.9.0-2?

> Resolving groups does not work as expected.
> A getent group | wc -l
> s005 shows 8185 groups
> S006 shows 7300 groups
> All groups appear without any members on s006.

Which group membership attribute are you using in LDAP? nslcd 0.9
expects the member attribute to contain DN values that point to users or
other groups. Also nested groups are only processed if the
nss_nested_groups option is set (and might be slightly different from
nss_ldap). The memberUid attribute can contain bare usernames.

> If needed I can provide debugging information and config files.

More information on your LDAP schema could be helpful and also which
characteristics the missing groups have. If you made any customisations
to either nslcd.conf or libnss-ldap.conf that would also be helpful.


-- arthur - - --
To unsubscribe send an email to or see