RE: [nssldap] RV: Unix id command and Openldap
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
RE: [nssldap] RV: Unix id command and Openldap
- From: <okossuth [at] antel.com.uy>
- To: <bgmilne [at] mandriva.org>
- Cc: <nssldap [at] padl.com>
- Subject: RE: [nssldap] RV: Unix id command and Openldap
- Date: Tue, 30 Dec 2008 09:19:34 -0200
Hi guys
i solved my problem. Apparently it was a misconfiguration in the slapd.conf
file of my opneldap server.
it had this line:
access to attrs=userPassword,userPKCS12,memberUid,member
by dn="cn=admin,dc=vmlx-ldapauth-test,dc=in.iantel.com.uy" write
by self write
by * auth
For some reason that line was blocking somehow the correct behaviour of the id
command...
after removing it and restarting the ldap server everything worked as expected.
Any ideas why this line made my life misaerable?? hehe
Saludos,
Oskar Kossuth
Administrador UNIX
ANTEL Telecomunicaciones
-----Mensaje original-----
De: Buchan Milne [bgmilne [at] mandriva.org]
Enviado el: Tuesday, December 30, 2008 7:29 AM
Para: Kossuth Espinosa, Oskar
CC: nssldap@padl.com
Asunto: Re: [nssldap] RV: Unix id command and Openldap
It's unfortunate that you've been top-posting through this whole thread ...
I'll have to try and remember some of the details which have now been dropped
...
On Tuesday 23 December 2008 16:52:07 okossuth@antel.com.uy wrote:
> Hi guys
>
> getent passwd and getent group work fine, I get the list of users and
> groups of the ldap server. getent group only shows me ldap groups without
> users belonging to those groups like the group mysql defined only in the
> ldap server:
>
> mysql:*:4620:
OK, so it looks like it's only a problem in understanding the membership
attributes on the group.
I think you said you are using SLES as clients? IIRC, by default, SUSE uses
RFC2307bis groups, where the members are the DN-valued values of the
uniqueMember attribute (by default).
If this is the case, and you are using RFC2307 groups (where the members are
the uid-valued values of the memberUid attribute - by default) on the LDAP
server, this is what I would expect to see.
> My only problem is getting the secondary groups via id or groups.
> Starting the ldap server with debugging I saw a possible cause:
>
> conn=50 op=0 BIND dn="" method=128
> conn=50 op=0 RESULT tag=97 err=0 text=
> conn=50 op=1 SRCH
> base="ou=Grupos,ou=Teleinformatica,dc=vmlx-ldapauth-test,dc=in.iantel.com.u
>y" scope=2 deref=0 filter="(&(objectClass=posixGroup))" conn=50 op=1 SRCH
> attr=cn userPassword memberUid uniqueMember gidNumber conn=50 op=1 ENTRY
> dn="cn=jbossgrp,ou=grupos,ou=teleinformatica,dc=vmlx-ldapauth-test,dc=in.ia
>ntel.com.uy"
Could you show us this group? E.g.:
ldapsearch -x -s base -b cn=jbossgrp,ou=grupos,ou=teleinformatica,dc=vmlx-
ldapauth-test,dc=in.iantel.com.uy
(I note that dc stands for Domain Component, so your dc=in.iantel.com.uy is
not really compliant with the intention of that attribute ...).
> it seems that when i do a id -a jbosstest ( a user that is defined in the
> ldap server) it searchs the ou=Grupos where the groups are defined but it
> only uses the filter ="(&(objectClass=posixGroup))"..
> is that the problem???
Regards,
Buchan
El presente correo y cualquier posible archivo adjunto está
dirigido únicamente al destinatario del mensaje y contiene información
que puede ser confidencial. Si Ud. no es el destinatario correcto por
favor notifique al remitente respondiendo anexando este mensaje y elimine
inmediatamente el e-mail y los posibles archivos adjuntos al mismo de su
sistema. Está prohibida cualquier utilización, difusión o copia de este
e-mail por cualquier persona o entidad que no sean las específicas
destinatarias del mensaje. ANTEL no acepta ninguna responsabilidad con
respecto a cualquier comunicación que haya sido emitida incumpliendo
nuestra Política de Seguridad de la Información.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
This e-mail and any attachment is confidential and is intended solely for
the addressee(s). If you are not intended recipient please inform the
sender immediately, answering this e-mail and delete it as well as the
attached files. Any use, circulation or copy of this e-mail by any person
or entity that is not the specific addressee(s) is prohibited. ANTEL is
not responsible for any communication emitted without respecting our
Information Security Policy.