[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
dynlist and group membership (libnss-ldap, posixGroup, samba)
- To: openldap-technical@openldap.org
- Subject: dynlist and group membership (libnss-ldap, posixGroup, samba)
- From: Felipe Augusto van de Wiel <felipe.wiel@hpp.org.br>
- Date: Wed, 19 May 2010 22:53:15 -0300
- Openpgp: id=E0C4BC4F
- Organization: Complexo Pequeno Príncipe
- User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.9) Gecko/20100502 Iceape/2.0.4 Lightning/1.0b1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi,
I'm afraid I'm missing something very simple
here and it is likely that the issue is on libnss-ldap
and not on OpenLDAP dynlist overlay, I just want to make
sure everything is fine regarding OpenLDAP configuration.
I'm using Debian 5.0 (Lenny) and OpenLDAP 2.4.11
(Debian packaged version). I'm also using rfc2307bis and
I would like to have a dynamic group with all non-disabled
Samba users. Not sure if it is recommended to send the
full slapd.conf, so I'm just sending the parts I added in
order to have the dynlist/"dynamic group".
/etc/ldap/slapd.conf:
include /etc/ldap/schema/dyngroup.schema
...
overlay dynlist
dynlist-attrset posixGroup labeledURI member
$ ldapsearch -x cn=active-samba-users
dn: cn=active-samba-users,ou=Groups,dc=ahpi,dc=org
objectClass: top
objectClass: groupOfNames
objectClass: posixGroup
objectClass: sambaGroupMapping
objectClass: labeledURIObject
cn: active-samba-users
gidNumber: 999
sambaSID: S-1-5-21-1234567899-1234567899-123456789-2999
sambaGroupType: 2
displayName: active samba users
labeledURI: ldap:///ou=People,?uid?sub?(&(objectClass=posixAccount)(objectClass=sambaSAMAccount)(!(sambaAcctFlags=*D*)))
When I run the search above I do get the
expected results, several 'member' fields are
added to the response:
member: uid=userA,ou=People,dc=ahpi,dc=org
member: uid=userB,ou=People,dc=ahpi,dc=org
The problem, is that I would expect and
'id userA' to include group 'active-samba-users'
but it doesn't. But 'getent group active-samba-users'
includes all the users:
active-samba-users:*:999:userA,userB
Am I doing something wrong or missing
something obvious? Below are the complete version
of libnss-ldap.conf and pam_ldap.conf
/etc/libnss-ldap.conf:
ldap_version 3
base dc=ahpi,dc=org
host 127.0.0.1
uri ldap://localhost
rootbinddn cn=manager,dc=ahpi,dc=org
scope sub
pam_password ssha
nss_schema rfc2307bis
nss_map_attribute uniqueMember member
/etc/pam_ldap.conf
ldap_version 3
base dc=ahpi,dc=org
uri ldap://localhost
rootbinddn cn=manager,dc=ahpi,dc=org
pam_password ssha
nss_schema rfc2307bis
nss_map_attribute uniqueMember member
I also tried to use a different attrset:
dynlist-attrset posixGroup labeledURI memberUid:uid
From some maillist archives I had the impression
that the approach above could solve it, I then removed
the nss_schema and nss_map_attribute from libnss-ldap and
pam_ldap but it didn't seem to work (the query was OK).
It seems to me that something is wrong with my
libnss/pam configuration, but it would be great if
somebody else could confirm it. Thanks in advance. :-)
Kind regards,
- --
Felipe Augusto van de Wiel <felipe.wiel@hpp.org.br>
Tecnologia da Informação (TI) - Complexo Pequeno Príncipe
http://www.pequenoprincipe.org.br/ T: +55 41 3310 1747
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBCgAGBQJL9JYHAAoJECCPPxLgxLxPv3gP/ip9seR1fhhLvrTwQ9OlfdjL
iRk3nU9iPj5JtzwDHiOl872CTdZuI7Hbh4bCAe61Ix7Ai8Sz0nZsaBJRu2L+4K9W
4qY2lLAChn1k/R//9pnWxSi3zRInL6aMIXWWPqxLI5cmN9zht6Z0YQp/Uf5tkoez
q16nXSklJTJFJEAaEbhR5oxVo0vAGAl8zMdU8aZ1OicsdaVG4e0gzTtaCet6Yyvf
lCt7M1S3TNW4emebysKML+lbC6MdCAdUiRn0TzN3RL7v/42YZQX7k/nL2ZWKhIEn
jTkB5AzH4G1SjMTjq2yl3x7JGjFEmgPIDVTHcXfZj8mho6VaHmfR2QLGY6Mmt6/E
7ATQsYe57qNhTW5XhrUadd/5M+jCHkFe6mfKALbYhmj4Yjj1cXUxLTh4g4AYtWbL
qKd+haYf8cFDoDDBvf/bQQBe8tlM0ZRLkbqliy6I0+VZGoWkGButwM0TVjSPnin5
h7by/m3cgRFuRf2qZEafCoCzsVExN8wLKkzo9VHDx9ZxvA0KJ6QEQl52s5w+DkmF
CxyjTkRWPYi6mpzj9+nK0l8wbTeq+GLV2qvldPt+QIPyWDVOrnzJofkJK36Huhzs
7siOd8SI2uSSZwrRESaNWl/Wjyf0DAUhXOHUYqpGBIg9yiWHCKWr/A0EhOVOEWwb
CyPGFEw88YJq8dD89pdb
=Icjy
-----END PGP SIGNATURE-----