[nssldap] dynlist (dynamic group) and group membership (libnss-ldap, posixGroup, samba)

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Felipe Augusto van de Wiel <felipe.wiel [at] complexopequenoprincipe.org.br>
To: nssldap [at] padl.com
Subject: [nssldap] dynlist (dynamic group) and group membership (libnss-ldap, posixGroup, samba)
Date: Wed, 23 Jun 2010 18:39:18 -0300

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

        A few weeks ago I posted this message do
openldap-technical to check if I was doing something wrong
on the OpenLDAP side, apparently, I'm not.  Today I tried
a few items without success.  Hopefully this list can help
out. :-)


        I'm afraid I'm missing something very simple here
and initially I thought it was a misconfiguration with the
OpenLDAP dynlist overlay.

        I'm using Debian 5.0 (Lenny) and OpenLDAP 2.4.11
(Debian packaged version). I'm also using rfc2307bis and
I would like to have a dynamic group with all non-disabled
Samba users. Not sure if it is recommended to send the full
slapd.conf, so I'm just sending the parts I added in order
to have the dynlist/"dynamic group".

/etc/ldap/slapd.conf:
include /etc/ldap/schema/dyngroup.schema
...
overlay dynlist
dynlist-attrset posixGroup labeledURI member


$ ldapsearch -x cn=active-samba-users
dn: cn=active-samba-users,ou=Groups,dc=ahpi,dc=org
objectClass: top
objectClass: groupOfNames
objectClass: posixGroup
objectClass: sambaGroupMapping
objectClass: labeledURIObject
cn: active-samba-users
gidNumber: 999
sambaSID: S-1-5-21-1234567899-1234567899-123456789-2999
sambaGroupType: 2
displayName: active samba users
labeledURI: 
ldap:///ou=People,dc=ahpi,dc=org?uid?sub?(&(objectClass=posixAccount)(objectClass=sambaSAMAccount)(!(sambaAcctFlags=*D*)))


        When I run the search above I do get the expected
results, several 'member' fields are added to the response:

member: uid=userA,ou=People,dc=ahpi,dc=org
member: uid=userB,ou=People,dc=ahpi,dc=org


        The problem, is that I would expect and 'id userA'
to include group 'active-samba-users' but it doesn't. But
'getent group active-samba-users' includes all the users:

active-samba-users:*:999:userA,userB


        I also tried with different labeledURI like:

labeledURI: 
ldap:///ou=People,dc=ahpi,dc=org??sub?(&(objectClass=posixAccount)(objectClass=sambaSAMAccount)(!(sambaAcctFlags=*D*)))
labeledURI: 
ldap:///ou=People,dc=ahpi,dc=org?member?sub?(&(objectClass=posixAccount)(objectClass=sambaSAMAccount)(!(sambaAcctFlags=*D*)))


        Am I doing something wrong or missing something
obvious? Below are the complete version of libnss-ldap.conf
and pam_ldap.conf

/etc/libnss-ldap.conf:
ldap_version    3
base            dc=ahpi,dc=org
host            127.0.0.1
uri             ldap://localhost
rootbinddn      cn=manager,dc=ahpi,dc=org
scope           sub
pam_password    ssha
nss_schema      rfc2307bis
nss_map_attribute uniqueMember member

/etc/pam_ldap.conf
ldap_version    3
base            dc=ahpi,dc=org
uri             ldap://localhost
rootbinddn      cn=manager,dc=ahpi,dc=org
pam_password    ssha
nss_schema      rfc2307bis
nss_map_attribute uniqueMember member


        I also tried to use a different attrset:

dynlist-attrset posixGroup labeledURI memberUid:uid


        From some maillist archives I had the impression
that the approach above could solve it, I then removed
the nss_schema and nss_map_attribute from libnss-ldap and
pam_ldap but it didn't seem to work (the query was OK).

        It seems to me that something is wrong with my
libnss/pam configuration, but it would be great if
somebody could help me.  Thanks in advance. :-)

Kind regards,
- -- 
Felipe Augusto van de Wiel <felipe.wiel@complexopequenoprincipe.org.br>
Tecnologia da Informação (TI) - Complexo Pequeno Príncipe
http://www.pequenoprincipe.org.br/    T: +55 41 3310 1747
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCgAGBQJMIn8EAAoJECCPPxLgxLxP4z8P/RvjMF3iFyjCeXWyPo7RHdbi
Ew23Ecu2aIrgij4PXzxlJFzs45tu9xM0K+34EpGK1uU0v6bpPxoExVFJKwHdk2Fa
svZHeGE7A5aHH261l2tS8npW3PhAbpYUGkHMzaZHmWyq3CUKY7eD7PZ0B6kFbCFK
vmwzVgmOdlKqCTyQ2TNHw2OV9tL0v20RpcSQmWfIQmhdhK7esg0pCVP7MvrNq4Hm
WDyMjqPyNwPxHF5I3ykghQIJKVVxEwXi9JWcKGtSWur+vSqGyYkKmc8KgpUFE4ma
yRykSedQupFgxw1RnEILYCygnnoTT/XZvnn0RUaDocgrOuKzz6HIjhnz9F06AEqX
+m8iBAqU8vfN1Y9u80BPPLWzQs1GIe+VMuQuCwF8Mnl4ZXiAF73ShNtyPziCo2ju
P1an+JFbiDm99YsbXZ8A9L/teTvJjQ79AwrM2eIYrBGRnuD9cVHHGlina8C32yGQ
hjXieTktU+GTUU9rFxc+GgvCYzfjGnglq2vi+wQcxIjgZQeoZttodDeV2hVs6cRE
rqHAWRa+TeN2cGfciOwpDTosdAEU+iXPF14OzZO2XP6bIkp2fhhGbkM7HsTwG+qC
Yol4KLrHXlbEzqRWbUE5waxp9rMgioQ0Bw0uTBsbGLJixFBPTRoqFaitMPUghIJF
Pe+d9zCaw1Q9Vn35z5J8
=E+37
-----END PGP SIGNATURE-----

[nssldap] dynlist (dynamic group) and group membership (libnss-ldap, posixGroup, samba), Felipe Augusto van de Wiel

Prev by Date: Re: [nssldap] lookup delay using nss_ldap with Active Directory
Next by Date: [nssldap] Authenticating against multiple Active Directory Domains
Previous by thread: Re: [nssldap] lookup delay using nss_ldap with Active Directory
Next by thread: [nssldap] Authenticating against multiple Active Directory Domains