RSS feed

Re: Group membership filters with mutiple uids

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Group membership filters with mutiple uids

On Mon, 2016-04-04 at 16:54 -0500, Dustin Wenz wrote:
> Any ideas about what may have been different about nss_ldap that
> would have permitted it work in the past?

There are some differences in the way pam_ldap has been set up so there
could be something there. One thing I know is that nss_ldap is a lot
more lenient in what it accepts (e.g. not case sensitive) but nothing
comes to mind that could explain this difference easily (nslcd is
heavily based on nss_ldap so started out bug-for-bug compatible).

> Alternatively, in addition to assigned numeric IDs for each ldap
> account, we also assign a GeneratedUID value (which is a UUID) to
> each user. So, instead of searching group membership by the member
> name (uid), I can also search group membership by GUIDs (we call the
> field 'GroupMembers'). Is there any way to use these keys to relate
> users to groups  instead of searching by uid?

I don't think it's easy to have an arbitrary user attribute be used in
the group mapping.

If you do the group mapping via the member attribute (or uniqueMember
for the older schema name) you can put and LDAP DN in there to map the
membership. On the plus side, this should allow these kind of lookups.
On the minus side, this requires more LDAP searches for typical
operation because the DN to username translation takes an extra lookup
(nslcd performs some caching there though but will also use a short-cut 
if the DN contains the uid attribute value).

-- arthur - - --

To unsubscribe send an email to or see