[Date Prev][Date Next] [Chronological] [Thread] [Top]

dynlist and group membership (libnss-ldap, posixGroup, samba)



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

	I'm afraid I'm missing something very simple
here and it is likely that the issue is on libnss-ldap
and not on OpenLDAP dynlist overlay, I just want to make
sure everything is fine regarding OpenLDAP configuration.

	I'm using Debian 5.0 (Lenny) and OpenLDAP 2.4.11
(Debian packaged version). I'm also using rfc2307bis and
I would like to have a dynamic group with all non-disabled
Samba users. Not sure if it is recommended to send the
full slapd.conf, so I'm just sending the parts I added in
order to have the dynlist/"dynamic group".

/etc/ldap/slapd.conf:
include /etc/ldap/schema/dyngroup.schema
...
overlay dynlist
dynlist-attrset posixGroup labeledURI member


$ ldapsearch -x cn=active-samba-users
dn: cn=active-samba-users,ou=Groups,dc=ahpi,dc=org
objectClass: top
objectClass: groupOfNames
objectClass: posixGroup
objectClass: sambaGroupMapping
objectClass: labeledURIObject
cn: active-samba-users
gidNumber: 999
sambaSID: S-1-5-21-1234567899-1234567899-123456789-2999
sambaGroupType: 2
displayName: active samba users
labeledURI: ldap:///ou=People,?uid?sub?(&(objectClass=posixAccount)(objectClass=sambaSAMAccount)(!(sambaAcctFlags=*D*)))


	When I run the search above I do get the
expected results, several 'member' fields are
added to the response:

member: uid=userA,ou=People,dc=ahpi,dc=org
member: uid=userB,ou=People,dc=ahpi,dc=org


	The problem, is that I would expect and
'id userA' to include group 'active-samba-users'
but it doesn't. But 'getent group active-samba-users'
includes all the users:

active-samba-users:*:999:userA,userB


	Am I doing something wrong or missing
something obvious? Below are the complete version
of libnss-ldap.conf and pam_ldap.conf

/etc/libnss-ldap.conf:
ldap_version    3
base            dc=ahpi,dc=org
host            127.0.0.1
uri             ldap://localhost
rootbinddn      cn=manager,dc=ahpi,dc=org
scope 		sub
pam_password    ssha
nss_schema      rfc2307bis
nss_map_attribute uniqueMember member

/etc/pam_ldap.conf
ldap_version    3
base            dc=ahpi,dc=org
uri             ldap://localhost
rootbinddn      cn=manager,dc=ahpi,dc=org
pam_password    ssha
nss_schema      rfc2307bis
nss_map_attribute uniqueMember member


	I also tried to use a different attrset:

dynlist-attrset posixGroup labeledURI memberUid:uid


	From some maillist archives I had the impression
that the approach above could solve it, I then removed
the nss_schema and nss_map_attribute from libnss-ldap and
pam_ldap but it didn't seem to work (the query was OK).

	It seems to me that something is wrong with my
libnss/pam configuration, but it would be great if
somebody else could confirm it. Thanks in advance. :-)

Kind regards,
- -- 
Felipe Augusto van de Wiel <felipe.wiel@hpp.org.br>
Tecnologia da Informação (TI) - Complexo Pequeno Príncipe
http://www.pequenoprincipe.org.br/    T: +55 41 3310 1747
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCgAGBQJL9JYHAAoJECCPPxLgxLxPv3gP/ip9seR1fhhLvrTwQ9OlfdjL
iRk3nU9iPj5JtzwDHiOl872CTdZuI7Hbh4bCAe61Ix7Ai8Sz0nZsaBJRu2L+4K9W
4qY2lLAChn1k/R//9pnWxSi3zRInL6aMIXWWPqxLI5cmN9zht6Z0YQp/Uf5tkoez
q16nXSklJTJFJEAaEbhR5oxVo0vAGAl8zMdU8aZ1OicsdaVG4e0gzTtaCet6Yyvf
lCt7M1S3TNW4emebysKML+lbC6MdCAdUiRn0TzN3RL7v/42YZQX7k/nL2ZWKhIEn
jTkB5AzH4G1SjMTjq2yl3x7JGjFEmgPIDVTHcXfZj8mho6VaHmfR2QLGY6Mmt6/E
7ATQsYe57qNhTW5XhrUadd/5M+jCHkFe6mfKALbYhmj4Yjj1cXUxLTh4g4AYtWbL
qKd+haYf8cFDoDDBvf/bQQBe8tlM0ZRLkbqliy6I0+VZGoWkGButwM0TVjSPnin5
h7by/m3cgRFuRf2qZEafCoCzsVExN8wLKkzo9VHDx9ZxvA0KJ6QEQl52s5w+DkmF
CxyjTkRWPYi6mpzj9+nK0l8wbTeq+GLV2qvldPt+QIPyWDVOrnzJofkJK36Huhzs
7siOd8SI2uSSZwrRESaNWl/Wjyf0DAUhXOHUYqpGBIg9yiWHCKWr/A0EhOVOEWwb
CyPGFEw88YJq8dD89pdb
=Icjy
-----END PGP SIGNATURE-----