[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Cached user info?

To: openldap-technical@openldap.org
Subject: Re: Cached user info?
From: Braden McDaniel <braden@endoframe.com>
Date: Mon, 07 May 2012 10:22:58 -0400
Dkim-signature: v=1; a=rsa-sha1; c=relaxed; d=endoframe.com; h= message-id:subject:from:to:date:in-reply-to:references :content-type:content-transfer-encoding:mime-version; s= endoframe.com; bh=Pf9ltyLclZLPW7mdJ+agZJ0kKU4=; b=Gbs1N9wZJn7jps 346l3m2zEHQISPuWwlZ1/tn5x4jZBlDDEx9ohNTNNtaWS/PnUkpjJX/Ihy8CCmyq VZyZXplQecDrEOA35jTW0Rhu2FxFV0joNdCcZDMtEE4F3/yTyLNbSZKv+jnG97bf ySZ5/YA6qqhYOrDOJrWNkNJ53wRa8=
Domainkey-signature: a=rsa-sha1; c=nofws; d=endoframe.com; h=message-id :subject:from:to:date:in-reply-to:references:content-type :content-transfer-encoding:mime-version; q=dns; s=endoframe.com; b=jO7CZCkOFcXH4CD6VQ8/HbS9SH9nvhKXG/yHSD8jR8ULH7gMWnOatLuRXE3FC +UXBIxdpVjaG8ebjGCX88Pj0nyTb+KTChZy7PBWJvBkATuo0tubsIEKNElLCwOqa JUONvygJcbswCWQSK1HXXXwiQQT8jdKz8ClEt4Q+LA0hHY=
In-reply-to: <201205071127.09657.bgmilne@staff.telkomsa.net>
References: <6C447584419BFE4E83D46E88F81314869E033D58A5@EXCH07-05.apollogrp.edu> <1336370674.5089.24.camel@bolt.endoframe.net> <201205071127.09657.bgmilne@staff.telkomsa.net>

On Mon, 2012-05-07 at 11:27 +0200, Buchan Milne wrote: 
> On Monday, 7 May 2012 08:04:34 Braden McDaniel wrote:
> > On Sun, 2012-05-06 at 22:21 -0700, Chris Jacobs wrote:
> > > Or restarted sssd?
> > 
> > I've restarted both the client machine and the server; so, yes.
> > 
> > > What is your OS?
> > 
> > Fedora 17 prerelease.
> > 
> > > Have you googled for ldap cache and your os?
> > 
> > I have.  I haven't come up with much, so far.
> > 
> > Might pam be caching any of this stuff?
> > 
> > > What else have you tried?
> > 
> > If I remove the user from the group in LDAP, that is reflected in the
> > output of "groups".  But, when I add it back, "groups" shows the (local)
> > group associated with the old GID, not the new one.
> > 
> > So it's as if something on the client side has gotten the group *name*
> > from LDAP and has locally cached an association with the old GID.
> 
> You have a local group and an LDAP group, with the same name, and different 
> GIDs?

Not "have"; *had*.  I changed the LDAP group GID to match the local grou
GID.  But "groups" still shows the local group associated with the old
GID.

> Depending on your nss configuration (in /etc/nsswitch.conf), you will 
> either get the local group, or the LDAP group definition.
> 
> > The
> > old GID is getting passed along and is associated with the group that it
> > maps to locally by a tool like "groups".
> 
> If I understand your setup, this is the correct behaviour.
> 
> Provide the output of 'id username'.

        $ id braden
        uid=1000(braden) gid=100(users) groups=100(users),497(desktop_admin_r),988(ccache),990(pulse-access)

And here are the POSIX groups I've defined in LDAP:

        $ ldapsearch -x -H ldap://ldap.endoframe.net -D "cn=Manager,dc=endoframe,dc=net" -W "objectClass=posixGroup"
        Enter LDAP Password: 
        # extended LDIF
        #
        # LDAPv3
        # base <dc=endoframe,dc=net> (default) with scope subtree
        # filter: objectClass=posixGroup
        # requesting: ALL
        #
        
        # users, Groups, endoframe.net
        dn: cn=users,ou=Groups,dc=endoframe,dc=net
        objectClass: top
        objectClass: posixGroup
        cn: users
        gidNumber: 100
        memberUid: braden
        
        # ccache, Groups, endoframe.net
        dn: cn=ccache,ou=Groups,dc=endoframe,dc=net
        objectClass: top
        objectClass: posixGroup
        cn: ccache
        gidNumber: 988
        memberUid: braden
        
        # desktop_admin_r, Groups, endoframe.net
        dn: cn=desktop_admin_r,ou=Groups,dc=endoframe,dc=net
        objectClass: top
        objectClass: posixGroup
        gidNumber: 497
        cn: desktop_admin_r
        memberUid: braden
        
        # desktop_user_r, Groups, endoframe.net
        dn: cn=desktop_user_r,ou=Groups,dc=endoframe,dc=net
        objectClass: top
        objectClass: posixGroup
        gidNumber: 496
        cn: desktop_user_r
        
        # mock, Groups, endoframe.net
        dn: cn=mock,ou=Groups,dc=endoframe,dc=net
        objectClass: top
        objectClass: posixGroup
        cn: mock
        gidNumber: 989
        memberUid: braden
        
        # search result
        search: 2
        result: 0 Success
        
        # numResponses: 6
        # numEntries: 5
        

> If none of your groups have spaces in the 
> name, the following might also be useful:
> 
> $ for i in `groups username|awk -F: '{print $2}'`;do getent group|grep  
> "^$i:";done

        $ getent group | grep "^pulse-access:"
        pulse-access:x:990:
        $ getent group | grep "^mock:"
        mock:x:989:

The mock group in LDAP used to have GID 990; I changed it to 989 (as
shown in the ldapsearch results above).

-- 
Braden McDaniel <braden@endoframe.com>

Follow-Ups:
- Re: Cached user info?
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>

References:
- Re: Cached user info?
  - From: Chris Jacobs <Chris.Jacobs@apollogrp.edu>
- Re: Cached user info?
  - From: Braden McDaniel <braden@endoframe.com>
- Re: Cached user info?
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>

Prev by Date: Re: Cached user info?
Next by Date: Re: Cached user info?
Index(es):
- Chronological
- Thread