lists.arthurdejong.org
RSS feed

Re: Fwd: map group uniqueMember sAMAccountName

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Fwd: map group uniqueMember sAMAccountName



Arthur!

now nsswitch.conf:
passwd:         files ldap
group:          files ldap
shadow:         files ldap
gshadow:        files

That's right.
I am trying to create a query that uses the username with group:
filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHome$
map    passwd uid              sAMAccountName
map    passwd homeDirectory    unixHomeDirectory
map    passwd gecos            displayName
map    passwd gidNumber gidNumber
filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHome$
map    shadow uid              sAMAccountName
map    shadow shadowLastChange pwdLastSet
filter group  (objectClass=user)
map     group   gidNumber       gidNumber
map     group   member          sAMAccountName

It is in a Samba AD. Still now working with group. How can I not need a Samba group and use that is the same as the username? Like usual  linux setup.

The debug shows nothing about the group:
nslcd: [e91b18] <passwd=10000> DEBUG: myldap_search(base="DC=ac,DC=patrikx3,DC=tk", filter="(&(&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))(uidNumber=10000))")
nslcd: [e91b18] <passwd=10000> DEBUG: ldap_result(): CN=patrikx3,CN=Users,DC=ac,DC=patrikx3,DC=tk
nslcd: [e91b18] <passwd=10000> DEBUG: ldap_result(): end of results (1 total)
nslcd: [437fdb] DEBUG: connection from pid=2861 uid=0 gid=0
nslcd: [437fdb] <passwd="patrikx3"> DEBUG: myldap_search(base="DC=ac,DC=patrikx3,DC=tk", filter="(&(&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))(sAMAccountName=patrikx3))")
nslcd: [437fdb] <passwd="patrikx3"> DEBUG: ldap_result(): CN=patrikx3,CN=Users,DC=ac,DC=patrikx3,DC=tk
nslcd: [437fdb] <passwd="patrikx3"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [44a45c] DEBUG: connection from pid=2864 uid=10000 gid=10000
nslcd: [44a45c] <passwd=10000> DEBUG: myldap_search(base="DC=ac,DC=patrikx3,DC=tk", filter="(&(&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))(uidNumber=10000))")
nslcd: [44a45c] <passwd=10000> DEBUG: ldap_result(): CN=patrikx3,CN=Users,DC=ac,DC=patrikx3,DC=tk
nslcd: [44a45c] <passwd=10000> DEBUG: ldap_result(): end of results (1 total)
nslcd: [fff902] DEBUG: connection from pid=2921 uid=0 gid=0
nslcd: [fff902] <group/member="root"> DEBUG: myldap_search(base="DC=ac,DC=patrikx3,DC=tk", filter="(&(&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))(sAMAccountName=root))")
nslcd: [fff902] <group/member="root"> DEBUG: ldap_result(): end of results (0 total)
nslcd: [fff902] <group/member="root"> DEBUG: myldap_search(base="DC=ac,DC=patrikx3,DC=tk", filter="(&(objectClass=group)(memberUid=root))")
nslcd: [fff902] <group/member="root"> DEBUG: ldap_result(): end of results (0 total)





Patrik

GTalk:  
alabard [at] gmail.com

Web:

Mobile:

On Fri, Feb 10, 2017 at 10:14 AM, Arthur de Jong <arthur [at] arthurdejong.org> wrote:
On Fri, 2017-02-10 at 09:35 +0100, Patrik wrote:
> If you have time to help!
>
> nsswtich:
> passwd:         compat ldap
> group:          compat ldap
> shadow:         compat ldap
> gshadow:        files

I personally prefer files over compat unless you do things with
netgroups. They should be equivalent in most cases and shouldn't matter
for the problem you're seeing.

> why still is not showing up with my group name?
> drwxr-xr-x  4 root     root  4096 Feb  8 00:14 .
> drwxr-xr-x 22 root     root  4096 Feb  9 02:46 ..
> drwxr-xr-x  7 patrikx3 10000 4096 Feb  9 21:35 patrikx3
> drwxr-xr-x  5 root     root  4096 Feb  7 04:17 samba
>
> How can I make it be patrikx3 as the group  name? Is it an error?

The patrikx3 group needs to exist in LDAP for it to show up. The
easiest way to perform a group lookup from the command line is
  getent group 10000

If you are tweaking your configuration be sure to stop nscd because it
may cache some values. To get more useful debugging info you can run
nslcd with the -d option so see what it does exactly.

For group lookups the cn attribute should be mapped to the name of the
group, gidNumber to the numeric group id. You can use memberUid to map
to usersnames that are in the group and member to user distinguished
names. For the lookup above you just need the cn and gidNumber
attributes working, the member(Uid) attributes are only needed for user
secondary groups.

Hope this helps,

--
-- arthur - arthur [at] arthurdejong.org - https://arthurdejong.org/ --

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/