RE: [nssldap] RV: Unix id command and Openldap

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: <okossuth [at] antel.com.uy>
To: <bgmilne [at] mandriva.org>
Cc: <nssldap [at] padl.com>
Subject: RE: [nssldap] RV: Unix id command and Openldap
Date: Tue, 30 Dec 2008 09:19:34 -0200

Hi guys

i solved my problem. Apparently it was a misconfiguration in the slapd.conf 
file of my opneldap server.
it had this line:

access to attrs=userPassword,userPKCS12,memberUid,member
        by dn="cn=admin,dc=vmlx-ldapauth-test,dc=in.iantel.com.uy" write
        by self write
        by * auth

For some reason that line was blocking somehow the correct behaviour of the id 
command...
after removing it and restarting the ldap server everything worked as expected.

Any ideas why this line made my life misaerable?? hehe

Saludos,

Oskar Kossuth 
Administrador UNIX
ANTEL Telecomunicaciones

-----Mensaje original-----
De: Buchan Milne [bgmilne [at] mandriva.org] 
Enviado el: Tuesday, December 30, 2008 7:29 AM
Para: Kossuth Espinosa, Oskar
CC: nssldap@padl.com
Asunto: Re: [nssldap] RV: Unix id command and Openldap

It's unfortunate that you've been top-posting through this whole thread ... 
I'll have to try and remember some of the details which have now been dropped 
...

On Tuesday 23 December 2008 16:52:07 okossuth@antel.com.uy wrote:
> Hi guys
>
> getent passwd and getent group work fine, I get the list of users and
> groups of the ldap server. getent group only shows me ldap groups without
> users belonging to those groups like  the group mysql defined only in the
> ldap server:
>
> mysql:*:4620:

OK, so it looks like it's only a problem in understanding the membership 
attributes on the group.

I think you said you are using SLES as clients? IIRC, by default, SUSE uses 
RFC2307bis groups, where the members are the DN-valued values of the 
uniqueMember attribute (by default).

If this is the case, and you are using RFC2307 groups (where the members are 
the uid-valued values of the memberUid attribute - by default) on the LDAP 
server, this is what I would expect to see.

> My only problem is getting the secondary groups via id or groups.
> Starting the ldap server with debugging I saw a possible cause:
>
> conn=50 op=0 BIND dn="" method=128
> conn=50 op=0 RESULT tag=97 err=0 text=
> conn=50 op=1 SRCH
> base="ou=Grupos,ou=Teleinformatica,dc=vmlx-ldapauth-test,dc=in.iantel.com.u
>y" scope=2 deref=0 filter="(&(objectClass=posixGroup))" conn=50 op=1 SRCH
> attr=cn userPassword memberUid uniqueMember gidNumber conn=50 op=1 ENTRY
> dn="cn=jbossgrp,ou=grupos,ou=teleinformatica,dc=vmlx-ldapauth-test,dc=in.ia
>ntel.com.uy"

Could you show us this group? E.g.:

ldapsearch -x -s base -b cn=jbossgrp,ou=grupos,ou=teleinformatica,dc=vmlx-
ldapauth-test,dc=in.iantel.com.uy

(I note that dc stands for Domain Component, so your dc=in.iantel.com.uy is 
not really compliant with the intention of that attribute ...).

> it seems that when i do a id -a jbosstest ( a user that is defined in the
> ldap server) it searchs the ou=Grupos where the groups are defined but it
> only uses the filter  ="(&(objectClass=posixGroup))"..
> is that the problem???

Regards,
Buchan

El   presente  correo   y   cualquier    posible   archivo   adjunto  está
dirigido  únicamente  al destinatario  del  mensaje y contiene información
que  puede ser  confidencial.  Si  Ud. no es el destinatario  correcto por 
favor notifique al remitente respondiendo  anexando este mensaje y elimine 
inmediatamente   el e-mail y los posibles archivos adjuntos al mismo de su 
sistema. Está  prohibida  cualquier utilización,  difusión o copia de este 
e-mail por   cualquier  persona  o  entidad  que  no  sean las específicas 
destinatarias del  mensaje.  ANTEL  no acepta  ninguna responsabilidad con 
respecto  a cualquier  comunicación  que  haya sido  emitida  incumpliendo
nuestra Política de Seguridad de la Información.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
This e-mail and any attachment is confidential and is  intended solely for 
the addressee(s).  If you are not  intended  recipient  please  inform the 
sender immediately,  answering  this  e-mail and  delete it as well as the 
attached files. Any use, circulation or copy of this e-mail by  any person 
or entity that is not the specific  addressee(s)  is prohibited.  ANTEL is 
not  responsible  for  any  communication  emitted  without respecting our
Information Security Policy.

RE: [nssldap] RV: Unix id command and Openldap, (continued)

Prev by Date: Re: [nssldap] RV: Unix id command and Openldap
Next by Date: Re: [nssldap] RV: Unix id command and Openldap
Previous by thread: Re: [nssldap] RV: Unix id command and Openldap
Next by thread: Re: [nssldap] RV: Unix id command and Openldap