nss-pam-ldapd-users@lists.arthurdejong.org

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: nerbrume [at] free.fr
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: nss-pam-ldapd-users [at] lists.arthurdejong.org
Date: Wed, 06 Jan 2021 21:30:53 +0100

Hello,

(I think my previous e-mail did not went through. I'm trying my luckagain, with even more informations)


I'm using nslcd 0.9.10-2 on Debian stable (Buster/10).

I'm trying to setup alias + deref, so that a user could have severallogins.

E.g, I currently have one user (illustrative purpose, the actual oneshave more fields):


# dn: uid=bruce.wayne,ou=People,dc=arkh,dc=am
# objectClass: posixAccount
# uid: bruce.wayne
# uidNumber: 1001

and an alias :

# dn: uid=batman,ou=People,dc=arkh,dc=am
# aliasedObjectName: uid=bruce.wayne,ou=People,dc=arkh,dc=am
# objectClass: alias
# uid: bruce.wayne

and I want it to be possible to do something like :

batman@local:~$ ssh batman@arkh.am
=> bruce.wayne@arkh.am:~$

(so typing "batman" is, to any effect, the same as typing "bruce.wayne")


1) Is that even possible ?


2) So far, I have :

- enabled the deref overly in OpenLDAP, which seems to be working:

ldapsearch -b "uid=batman,ou=People,dc=arkh,dc=am" -a find


returns uid=bruce.wayne as expected

- added "deref=finding" in nslcdf.conf (fwiw, also tried withderef=always)

- added "filter passwd (|(objectClass=posixAccount)(objectClass=alias))"in nslcdf.conf


But it does not work as I expect it to :

getent.ldap passwd batman


returns nothing
(ofc, getent passwd bruce.wayne works as expected)

the debug output (excerpt) is :

nslcd: [8b4567] DEBUG: connection from pid=13653 uid=0 gid=0

nslcd: [8b4567] <passwd="batman"> DEBUG:myldap_search(base="dc=arkh,dc=am",filter="(&(|(objectClass=posixAccount)(objectClass=alias))(uid=batman))")

nslcd: [8b4567] <passwd="batman"> DEBUG: ldap_initiaamze(ldapi:///)
nslcd: [8b4567] <passwd="batman"> DEBUG: ldap_set_rebind_proc()

nslcd: [8b4567] <passwd="batman"> DEBUG:ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)nslcd: [8b4567] <passwd="batman"> DEBUG:ldap_set_option(LDAP_OPT_DEREF,2)nslcd: [8b4567] <passwd="batman"> DEBUG:ldap_set_option(LDAP_OPT_TIMELIMIT,0)nslcd: [8b4567] <passwd="batman"> DEBUG:ldap_set_option(LDAP_OPT_TIMEOUT,0)nslcd: [8b4567] <passwd="batman"> DEBUG:ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)nslcd: [8b4567] <passwd="batman"> DEBUG:ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)nslcd: [8b4567] <passwd="batman"> DEBUG:ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)nslcd: [8b4567] <passwd="batman"> DEBUG:ldap_simple_bind_s("cn=reader,dc=arkh,dc=am","***") (uri="ldapi:///")nslcd: [8b4567] <passwd="batman"> DEBUG: ldap_result():uid=batman,ou=People,dc=arkh,dc=amnslcd: [8b4567] <passwd="batman"> uid=batman,ou=People,dc=arkh,dc=am:uidNumber: missingnslcd: [8b4567] <passwd="batman"> DEBUG: ldap_result(): end of results(1 total)

So, the find seems ok (we find batman), but not the deref (we try to getbatman's uidNumber, instead of bruce.wayne's), although we do have(LDAP_OPT_DEREF,2)


Am I missing something here ?

My knowledge of LDAP is quite limited, so I may be doing somethingentirely wrong...


Any help is appreciated !

N

nss-pam-ldapd-users@lists.arthurdejong.org, nerbrume

Next by Date: Re: How to fetch all the groups for a user from Active Directory
Next by thread: Re: How to fetch all the groups for a user from Active Directory