Re: group filter in nslcd.conf

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Nicolas Soriano <nicolas.soriano [at] univ-rennes1.fr>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Re: group filter in nslcd.conf
Date: Wed, 11 Dec 2013 13:04:46 +0100

Me again,

I’ve read in Synology documentation that :
RackStation requires a fixed integer to serve as an LDAP account identifier (uidNumber) or a group identifier (gidNumber).

And our university LDAP doesn’t provide gidNumber’s. Can this be the problem ?

Group attributes provided (issued from Grouper)

dn: cn=ur1:div:rec:lab:r436:groupname,ou=Grouper,dc=univ-rennes1,dc=fr
member: uid=soriano,ou=people,dc=univ-rennes1,dc=fr
description: some description
objectClass: groupOfNames
objectClass: top
cn: ur1:div:rec:lab:r436:groupname

In a user leaf, LDAP shows

memberOf: ur1:div:rec:lab:r436:groupname

(there can be several memberof, and no primary)

Synology documentation suggests to use HASH() to get an integer and to map it to gidNumber. What could I hash in this case ?

I tried :

map group gidNumber HASH(cn)

map passwd gidNumber HASH(memberOf)

which doesn’t work…

Any idea ?

Nicolas

Le 10 déc. 2013 à mar. 10 déc. | 20:22, Arthur de Jong <arthur [at] arthurdejong.org> a écrit :

On Tue, 10 Dec 2013, Nicolas Soriano wrote:
This are the modifications I’ve added to nslcd.conf, the filters and search bases are perfectly working with a « ldapsearch ». With nslcd, only users are working and i don’t get any group.

# The distinguished name of the search base.
base dc=univ-rennes1,dc=fr
# Customize certain database lookups.
base passwd ou=people,dc=univ-rennes1,dc=fr
filter passwd (departmentNumber=R436*)

I would personally limit this a bit further, perhaps add uid=*.

base group ou=grouper,dc=univ-rennes1,dc=fr
filter group (&(objectClass=GroupOfNames)(cn=ur1:div:rec:lab:r436:*))
map group uniqueMember member

The above looks reasonable. Do you know which version of nslcd is running? Also, if you can start nslcd with the -d option to get debugging information, that could provide useful information.

Some classes of errors are also logged to normal syslog, so you could check there.

If you have access to the LDAP server you could try to get debug logs there to see if there is any difference between nslcd and ldapsearch queries.

--
-- arthur - arthur [at] arthurdejong.org - http://arthurdejong.org/ ----
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe [at] lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

Attachment: smime.p7s
Description: S/MIME cryptographic signature

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

group filter in nslcd.conf, Nicolas Soriano
- Re: group filter in nslcd.conf, Arthur de Jong
  - Re: group filter in nslcd.conf, Nicolas Soriano
  - Re: group filter in nslcd.conf, Nicolas Soriano

Prev by Date: Re: group filter in nslcd.conf
Next by Date: Re: group filter in nslcd.conf
Previous by thread: Re: group filter in nslcd.conf
Next by thread: Re: group filter in nslcd.conf