[nssldap] dynlist (dynamic group) and group membership (libnss-ldap, posixGroup, samba)
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
[nssldap] dynlist (dynamic group) and group membership (libnss-ldap, posixGroup, samba)
- From: Felipe Augusto van de Wiel <felipe.wiel [at] complexopequenoprincipe.org.br>
- To: nssldap [at] padl.com
- Subject: [nssldap] dynlist (dynamic group) and group membership (libnss-ldap, posixGroup, samba)
- Date: Wed, 23 Jun 2010 18:39:18 -0300
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi,
A few weeks ago I posted this message do
openldap-technical to check if I was doing something wrong
on the OpenLDAP side, apparently, I'm not. Today I tried
a few items without success. Hopefully this list can help
out. :-)
I'm afraid I'm missing something very simple here
and initially I thought it was a misconfiguration with the
OpenLDAP dynlist overlay.
I'm using Debian 5.0 (Lenny) and OpenLDAP 2.4.11
(Debian packaged version). I'm also using rfc2307bis and
I would like to have a dynamic group with all non-disabled
Samba users. Not sure if it is recommended to send the full
slapd.conf, so I'm just sending the parts I added in order
to have the dynlist/"dynamic group".
/etc/ldap/slapd.conf:
include /etc/ldap/schema/dyngroup.schema
...
overlay dynlist
dynlist-attrset posixGroup labeledURI member
$ ldapsearch -x cn=active-samba-users
dn: cn=active-samba-users,ou=Groups,dc=ahpi,dc=org
objectClass: top
objectClass: groupOfNames
objectClass: posixGroup
objectClass: sambaGroupMapping
objectClass: labeledURIObject
cn: active-samba-users
gidNumber: 999
sambaSID: S-1-5-21-1234567899-1234567899-123456789-2999
sambaGroupType: 2
displayName: active samba users
labeledURI:
ldap:///ou=People,dc=ahpi,dc=org?uid?sub?(&(objectClass=posixAccount)(objectClass=sambaSAMAccount)(!(sambaAcctFlags=*D*)))
When I run the search above I do get the expected
results, several 'member' fields are added to the response:
member: uid=userA,ou=People,dc=ahpi,dc=org
member: uid=userB,ou=People,dc=ahpi,dc=org
The problem, is that I would expect and 'id userA'
to include group 'active-samba-users' but it doesn't. But
'getent group active-samba-users' includes all the users:
active-samba-users:*:999:userA,userB
I also tried with different labeledURI like:
labeledURI:
ldap:///ou=People,dc=ahpi,dc=org??sub?(&(objectClass=posixAccount)(objectClass=sambaSAMAccount)(!(sambaAcctFlags=*D*)))
labeledURI:
ldap:///ou=People,dc=ahpi,dc=org?member?sub?(&(objectClass=posixAccount)(objectClass=sambaSAMAccount)(!(sambaAcctFlags=*D*)))
Am I doing something wrong or missing something
obvious? Below are the complete version of libnss-ldap.conf
and pam_ldap.conf
/etc/libnss-ldap.conf:
ldap_version 3
base dc=ahpi,dc=org
host 127.0.0.1
uri ldap://localhost
rootbinddn cn=manager,dc=ahpi,dc=org
scope sub
pam_password ssha
nss_schema rfc2307bis
nss_map_attribute uniqueMember member
/etc/pam_ldap.conf
ldap_version 3
base dc=ahpi,dc=org
uri ldap://localhost
rootbinddn cn=manager,dc=ahpi,dc=org
pam_password ssha
nss_schema rfc2307bis
nss_map_attribute uniqueMember member
I also tried to use a different attrset:
dynlist-attrset posixGroup labeledURI memberUid:uid
From some maillist archives I had the impression
that the approach above could solve it, I then removed
the nss_schema and nss_map_attribute from libnss-ldap and
pam_ldap but it didn't seem to work (the query was OK).
It seems to me that something is wrong with my
libnss/pam configuration, but it would be great if
somebody could help me. Thanks in advance. :-)
Kind regards,
- --
Felipe Augusto van de Wiel <felipe.wiel@complexopequenoprincipe.org.br>
Tecnologia da Informação (TI) - Complexo Pequeno Príncipe
http://www.pequenoprincipe.org.br/ T: +55 41 3310 1747
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBCgAGBQJMIn8EAAoJECCPPxLgxLxP4z8P/RvjMF3iFyjCeXWyPo7RHdbi
Ew23Ecu2aIrgij4PXzxlJFzs45tu9xM0K+34EpGK1uU0v6bpPxoExVFJKwHdk2Fa
svZHeGE7A5aHH261l2tS8npW3PhAbpYUGkHMzaZHmWyq3CUKY7eD7PZ0B6kFbCFK
vmwzVgmOdlKqCTyQ2TNHw2OV9tL0v20RpcSQmWfIQmhdhK7esg0pCVP7MvrNq4Hm
WDyMjqPyNwPxHF5I3ykghQIJKVVxEwXi9JWcKGtSWur+vSqGyYkKmc8KgpUFE4ma
yRykSedQupFgxw1RnEILYCygnnoTT/XZvnn0RUaDocgrOuKzz6HIjhnz9F06AEqX
+m8iBAqU8vfN1Y9u80BPPLWzQs1GIe+VMuQuCwF8Mnl4ZXiAF73ShNtyPziCo2ju
P1an+JFbiDm99YsbXZ8A9L/teTvJjQ79AwrM2eIYrBGRnuD9cVHHGlina8C32yGQ
hjXieTktU+GTUU9rFxc+GgvCYzfjGnglq2vi+wQcxIjgZQeoZttodDeV2hVs6cRE
rqHAWRa+TeN2cGfciOwpDTosdAEU+iXPF14OzZO2XP6bIkp2fhhGbkM7HsTwG+qC
Yol4KLrHXlbEzqRWbUE5waxp9rMgioQ0Bw0uTBsbGLJixFBPTRoqFaitMPUghIJF
Pe+d9zCaw1Q9Vn35z5J8
=E+37
-----END PGP SIGNATURE-----
- [nssldap] dynlist (dynamic group) and group membership (libnss-ldap, posixGroup, samba),
Felipe Augusto van de Wiel