Re: [nssldap] RV: Unix id command and Openldap
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: [nssldap] RV: Unix id command and Openldap
- From: Buchan Milne <bgmilne [at] mandriva.org>
- To: okossuth [at] antel.com.uy
- Cc: nssldap [at] padl.com
- Subject: Re: [nssldap] RV: Unix id command and Openldap
- Date: Tue, 30 Dec 2008 12:28:37 +0200
It's unfortunate that you've been top-posting through this whole thread ...
I'll have to try and remember some of the details which have now been dropped
...
On Tuesday 23 December 2008 16:52:07 okossuth@antel.com.uy wrote:
> Hi guys
>
> getent passwd and getent group work fine, I get the list of users and
> groups of the ldap server. getent group only shows me ldap groups without
> users belonging to those groups like the group mysql defined only in the
> ldap server:
>
> mysql:*:4620:
OK, so it looks like it's only a problem in understanding the membership
attributes on the group.
I think you said you are using SLES as clients? IIRC, by default, SUSE uses
RFC2307bis groups, where the members are the DN-valued values of the
uniqueMember attribute (by default).
If this is the case, and you are using RFC2307 groups (where the members are
the uid-valued values of the memberUid attribute - by default) on the LDAP
server, this is what I would expect to see.
> My only problem is getting the secondary groups via id or groups.
> Starting the ldap server with debugging I saw a possible cause:
>
> conn=50 op=0 BIND dn="" method=128
> conn=50 op=0 RESULT tag=97 err=0 text=
> conn=50 op=1 SRCH
> base="ou=Grupos,ou=Teleinformatica,dc=vmlx-ldapauth-test,dc=in.iantel.com.u
>y" scope=2 deref=0 filter="(&(objectClass=posixGroup))" conn=50 op=1 SRCH
> attr=cn userPassword memberUid uniqueMember gidNumber conn=50 op=1 ENTRY
> dn="cn=jbossgrp,ou=grupos,ou=teleinformatica,dc=vmlx-ldapauth-test,dc=in.ia
>ntel.com.uy"
Could you show us this group? E.g.:
ldapsearch -x -s base -b cn=jbossgrp,ou=grupos,ou=teleinformatica,dc=vmlx-
ldapauth-test,dc=in.iantel.com.uy
(I note that dc stands for Domain Component, so your dc=in.iantel.com.uy is
not really compliant with the intention of that attribute ...).
> it seems that when i do a id -a jbosstest ( a user that is defined in the
> ldap server) it searchs the ou=Grupos where the groups are defined but it
> only uses the filter ="(&(objectClass=posixGroup))"..
> is that the problem???
Regards,
Buchan
