RSS feed

Re: group filter in nslcd.conf

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: group filter in nslcd.conf

Me again,

I’ve read in Synology documentation that :
RackStation requires a fixed integer to serve as an LDAP account identifier (uidNumber) or a group identifier (gidNumber)

And our university LDAP doesn’t provide gidNumber’s. Can this be the problem ?

Group attributes provided (issued from Grouper)

dn: cn=ur1:div:rec:lab:r436:groupname,ou=Grouper,dc=univ-rennes1,dc=fr
member: uid=soriano,ou=people,dc=univ-rennes1,dc=fr
description: some description
objectClass: groupOfNames
objectClass: top
cn: ur1:div:rec:lab:r436:groupname

In a user leaf, LDAP shows
memberOf: ur1:div:rec:lab:r436:groupname
(there can be several memberof, and no primary)

Synology documentation suggests to use HASH() to get an integer and to map it to gidNumber. What could I hash in this case ?

I tried :
map group gidNumber HASH(cn)                                                  
map passwd gidNumber HASH(memberOf) 

which doesn’t work…

Any idea ?


Le 10 déc. 2013 à mar. 10 déc. | 20:22, Arthur de Jong <arthur [at]> a écrit :

On Tue, 10 Dec 2013, Nicolas Soriano wrote:
This are the modifications I’ve added to nslcd.conf, the filters and search bases are perfectly working with a « ldapsearch ». With nslcd, only users are working and i don’t get any group.

# The distinguished name of the search base.
base dc=univ-rennes1,dc=fr
# Customize certain database lookups.
base    passwd  ou=people,dc=univ-rennes1,dc=fr
filter  passwd  (departmentNumber=R436*)

I would personally limit this a bit further, perhaps add uid=*.

base    group   ou=grouper,dc=univ-rennes1,dc=fr
filter  group   (&(objectClass=GroupOfNames)(cn=ur1:div:rec:lab:r436:*))
map group uniqueMember member

The above looks reasonable. Do you know which version of nslcd is running? Also, if you can start nslcd with the -d option to get debugging information, that could provide useful information.

Some classes of errors are also logged to normal syslog, so you could check there.

If you have access to the LDAP server you could try to get debug logs there to see if there is any difference between nslcd and ldapsearch queries.

-- arthur - arthur [at] - ---- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe [at] or see

Attachment: smime.p7s
Description: S/MIME cryptographic signature

To unsubscribe send an email to or see