Unable to generate gidNumber on the fly

["J. Davis" <jadavis84 [at] gmail.com>]

This is my configuration:

uri ldaps://dhe-ldap.dhe.duke.edu/

binddn CN=ldapbind,OU=ServiceAccounts,OU=EnterpriseAccounts,DC=dhe,DC=unc,DC=com

bindpw <redacted>

tls_cacertfile /etc/pki/tls/certs/ca-bundle.crt

nss_initgroups_ignoreusers root

pagesize 1000

referrals off

idle_timelimit 800

base  DC=dhe,DC=duke,DC=edu

base  group  OU=EnterpriseResources,DC=dhe,DC=unc,DC=com

base  passwd OU=EnterpriseAccounts,DC=dhe,DC=unc,DC=com

scope sub

filter passwd (objectClass=*)

filter group (objectClass=*)

map  passwd uid              sAMAccountName

map  passwd uidNumber        employeeNumber

map  passwd gidNumber        "10000"

map  passwd gecos            "${gecos:-$displayname;$telephonenumber;$mail}"

map  passwd homeDirectory    "${homeDirectory:-/rhome/$sAMAccountName}"

map  passwd loginShell       "/bin/bash"

map  shadow uid              sAMAccountName

map  shadow shadowLastChange pwdLastSet

map  group gidNumber    objectSid:S-1-5-21-2053149899-1891010372-398732274

map  group uniqueMember member

Which works for getent passwd userName but attempting to do a getent group DHTS-VMware-rights yields:

nslcd: [8b4567] DEBUG: ldap_simple_bind_s("CN=ldapbind,OU=ServiceAccounts,OU=EnterpriseAccounts,DC=dhe,DC=unc,DC=com","***") (uri="ldaps://dhe-ldap.dhe.unc.com/")

nslcd: [8b4567] group entry CN=DHTS-VMware-rights,OU=VMware,OU=DHTS_IS,OU=EnterpriseResources,DC=dhe,DC=unc,DC=com does not contain objectSid:S-1-5-21-2053149899-1891010372-398732274 value

nslcd: [8b4567] DEBUG: ldap_result(): end of results

Which doesn't seem possible because I've done an LDAP search as that user and can see the "objectSid" value (although in base64 format). Not sure why nss_ldap wouldn't be picking it up. If it matters this is nss-pam-ldapd-0.7.5-32.el6.x86_64 on CentOS 6

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/