> Date: Sat, 5 Jun 2010 11:39:22 -0700
> From:
hyc@symas.com> To:
bgmilne@staff.telkomsa.net
> CC:
openldap-technical@openldap.org;
jonathan@phillipoux.net;
stuart_cherrington@hotmail.co.uk
> Subject: Re: User restriction
>
> Buchan Milne wrote:
> > On Friday, 4 June 2010 13:47:42 Jonathan Clarke wrote:
> >> On 04/06/2010 11:49, Stuart Cherrington wrote:
> >
> >> As far as I know, "nss_base_passwd" is not a valid keyword in ldap.conf
> >> for OpenLDAP clients.
> >>
> >> If you're configuring this on a Linux server, I think you'll find the
> >> equivalent configuration in /etc/libnss_ldap.conf or similar.
> >
> > Upstream default is /etc/ldap.conf, libnss-ldap.conf is an unnecessary Debian-
> > ism.
>
> The upstream default has been an endless source of confusion for the better
> part of a decade. Renaming ala Debian is the right answer.
>
>
OK - Thanks for all your comments so far, the whole LDAP structure is starting to become clearer but not as simple as I'd like. As Aron suggested, I used the ldapcompare command to see if I could pull the 'member' information from the schema but it fails.
An ldapsearch shows the following:
ldapsearch -x -b 'ou=auth,dc=ldn,dc=sw,dc=com' -h 10.2.250.15 -D cn=proxyagent,ou=profile,dc=ldn,dc=sw,dc=com -w xxxxxx
# extended LDIF
#
# LDAPv3
# base <ou=auth,dc=ldn,dc=sw,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# auth,
ldn.sw.comdn: ou=auth,dc=ldn,dc=sw,dc=com
ou: auth
objectClass: organizationalUnit
objectClass: top
# access, auth,
ldn.sw.comdn: cn=access,ou=auth,dc=ldn,dc=sw,dc=com
objectClass: groupOfNames
objectClass: top
cn: access
member: uid=stuart,ou=people,dc=ldn,dc=sw,dc=com
member: cn=proxyagent,ou=profile,dc=ldn,dc=sw,dc=com
member: uid=rpratt,ou=people,dc=ldn,dc=sw,dc=com
member: uid=jason,ou=people,dc=ldn,dc=sw,dc=com
member: uid=pstuart,ou=people,dc=ldn,dc=sw,dc=com
member: uid=pfield,ou=people,dc=ldn,dc=sw,dc=com
member: uid=nereelot,ou=people,dc=ldn,dc=sw,dc=com
member: uid=scolebro,ou=people,dc=ldn,dc=sw,dc=com
member: uid=bpower,ou=people,dc=ldn,dc=sw,dc=com
member: uid=ihunt,ou=people,dc=ldn,dc=sw,dc=com
member: uid=emoreton,ou=people,dc=ldn,dc=sw,dc=com
member: uid=lcable,ou=people,dc=ldn,dc=sw,dc=com
member: uid=pmurray,ou=people,dc=ldn,dc=sw,dc=com
# search result
search: 2
result: 0 Success
You can clearly see the first Member line is myself. If I now try:
ldapcompare2.4 -v -x -h 10.2.250.15 -D cn=proxyagent,ou=profile,dc=ldn,dc=sw,dc=com -w xxxxxxxx "ou=auth,dc=ldn,dc=sw,dc=com" member:uid=stuart,ou=people,dc=ldn,dc=sw,dc=com
ldap_initialize( ldap://
10.2.250.15 )
DN:ou=auth,dc=ldn,dc=sw,dc=com, attr:member, value:uid=stuart,ou=people,dc=ldn,dc=sw,dc=com
Compare Result: No such attribute (16)
UNDEFINED
Any pointers here would be useful.
Thanks,
Stuart.