Re: group filter in nslcd.conf

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Nicolas Soriano <nicolas.soriano [at] univ-rennes1.fr>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Re: group filter in nslcd.conf
Date: Wed, 11 Dec 2013 11:08:43 +0100

Hi, Thanks for your answer,

Here are some infos about the system and version :

RackStation-2> nslcd --version
nss-pam-ldapd 0.7.12
Written by Luke Howard and Arthur de Jong.

Copyright (C) 1997-2009 Luke Howard, Arthur de Jong and West Consulting
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
RackStation-2> uname -a
Linux RackStation-2 3.2.40 #3810 SMP Wed Nov 6 05:11:04 CST 2013 x86_64 
GNU/Linux synology_bromolow_rs10613xs+
RackStation-2> 

nslcd -d  doesn’t help about groups. I’ve tried it in first place. There is 
nothing in syslog either… 

A typical results when asking for users somewhere (i.e. for file sharing) is :

nslcd: DEBUG: connection from pid=15861 uid=0 gid=0
nslcd: DEBUG: nslcd_passwd_byname(JohnDoe)
nslcd: DEBUG: myldap_search(base="ou=people,dc=univ-rennes1,dc=fr", 
filter="(&(departmentNumber=R436*)(uid=JohnDoe))")
nslcd: DEBUG: ldap_initialize(ldap://ldapglobal.univ-rennes1.fr)
nslcd: DEBUG: ldap_set_rebind_proc()
nslcd: DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: DEBUG: ldap_simple_bind_s(NULL,"***") 
(uri="ldap://ldapglobal.univ-rennes1.fr";)
nslcd: DEBUG: ldap_result(): end of results

When asking for groups, nothing happens.

There is no getent in this system but there is a synoldapclient

RackStation-2> synoldapclient --fetch group
ldap_search_ext: Bad search filter (-7)
ldap_search_ext: Bad search filter (-7)

which talks in /var/log/messages :
Dec 11 10:25:57 RackStation-2 synoldapclient: group_db_ldap_build.c:101 ldap 
group build nothing

That’s why I thought I used a bad syntax in nslcd.conf…

This command works :
ldapsearch -b ou=grouper,dc=univ-rennes1,dc=fr -s sub -LLL -x -H 
ldap://ldapglobal.univ-rennes1.fr 
"(&(objectClass=GroupOfNames)(cn=ur1:div:rec:lab:r436:*))"   

But I don’t see anywhere what is the request sent by their nslcd…

Another hint :
When I use a more simple filter for groups in nslcd.conf :  
(objectClass=GroupOfNames)
The system shows groups ! But corresponding to a request with a wrong search 
base

ie : same result as a ldapsearch with -d dc=univ-rennes1,dc=fr  (no « ou=«  
statement) and simple filter. 

So my guess is that : 
1) their nslcd doesn’t use  « Base Group ou=… » 
2) their nslcd doesn’t understand a composite filter (&()())

So I tried what you suggested : filter  passwd  
(&(departmentNumber=R436*)(uid=*)) 
And Tada! I dont’ have any ldap users anymore… which comforts point 2

The point is that their nslcd seems to use «  base    passwd  
ou=people,dc=univ-rennes1,dc=fr »  for it appears in the DEBUG…

And worse : it understands (objectClass=GroupOfNames) but not he simple filter 
(cn=ur1:div:rec:lab:r436:*)

Any idea ? (I’ve sent a message to their dev team, waiting for an answer…)

(And no, I don’t have access to the LDAP server nor to its logs, I’m going to 
ask for it)

Many thanks for your help,

Nicolas

Le 10 déc. 2013 à mar. 10 déc. | 20:22, Arthur de Jong 
<arthur@arthurdejong.org> a écrit :

> On Tue, 10 Dec 2013, Nicolas Soriano wrote:
>> This are the modifications I’ve added to nslcd.conf, the filters and search 
>> bases are perfectly working with a « ldapsearch ». With nslcd, only users 
>> are working and i don’t get any group.
>> 
>> # The distinguished name of the search base.
>> base dc=univ-rennes1,dc=fr
>> # Customize certain database lookups.
>> base    passwd  ou=people,dc=univ-rennes1,dc=fr
>> filter  passwd  (departmentNumber=R436*)
> 
> I would personally limit this a bit further, perhaps add uid=*.
> 
>> base    group   ou=grouper,dc=univ-rennes1,dc=fr
>> filter  group   (&(objectClass=GroupOfNames)(cn=ur1:div:rec:lab:r436:*))
>> map group uniqueMember member
> 
> The above looks reasonable. Do you know which version of nslcd is running? 
> Also, if you can start nslcd with the -d option to get debugging information, 
> that could provide useful information.
> 
> Some classes of errors are also logged to normal syslog, so you could check 
> there.
> 
> If you have access to the LDAP server you could try to get debug logs there 
> to see if there is any difference between nslcd and ldapsearch queries.
> 
> -- 
> -- arthur - arthur@arthurdejong.org - http://arthurdejong.org/ ---- 
> To unsubscribe send an email to
> nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
> http://lists.arthurdejong.org/nss-pam-ldapd-users/

Attachment: smime.p7s
Description: S/MIME cryptographic signature

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

group filter in nslcd.conf, Nicolas Soriano
- Re: group filter in nslcd.conf, Arthur de Jong
  - Re: group filter in nslcd.conf, Nicolas Soriano
  - Re: group filter in nslcd.conf, Nicolas Soriano
    - Re: group filter in nslcd.conf, steve

Prev by Date: Re: group filter in nslcd.conf
Next by Date: Re: group filter in nslcd.conf
Previous by thread: Re: group filter in nslcd.conf
Next by thread: Re: group filter in nslcd.conf