-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hi,
I'm afraid I'm missing something very simple here and it is likely that the issue is on libnss-ldap and not on OpenLDAP dynlist overlay, I just want to make sure everything is fine regarding OpenLDAP configuration.
I'm using Debian 5.0 (Lenny) and OpenLDAP 2.4.11 (Debian packaged version). I'm also using rfc2307bis and I would like to have a dynamic group with all non-disabled Samba users. Not sure if it is recommended to send the full slapd.conf, so I'm just sending the parts I added in order to have the dynlist/"dynamic group".
/etc/ldap/slapd.conf: include /etc/ldap/schema/dyngroup.schema ... overlay dynlist dynlist-attrset posixGroup labeledURI member
$ ldapsearch -x cn=active-samba-users dn: cn=active-samba-users,ou=Groups,dc=ahpi,dc=org objectClass: top objectClass: groupOfNames objectClass: posixGroup objectClass: sambaGroupMapping objectClass: labeledURIObject cn: active-samba-users gidNumber: 999 sambaSID: S-1-5-21-1234567899-1234567899-123456789-2999 sambaGroupType: 2 displayName: active samba users labeledURI: ldap:///ou=People,?uid?sub?(&(objectClass=posixAccount)(objectClass=sambaSAMAccount)(!(sambaAcctFlags=*D*)))
When I run the search above I do get the expected results, several 'member' fields are added to the response:
member: uid=userA,ou=People,dc=ahpi,dc=org member: uid=userB,ou=People,dc=ahpi,dc=org
The problem, is that I would expect and 'id userA' to include group 'active-samba-users' but it doesn't. But 'getent group active-samba-users' includes all the users:
active-samba-users:*:999:userA,userB
Am I doing something wrong or missing something obvious? Below are the complete version of libnss-ldap.conf and pam_ldap.conf
/etc/libnss-ldap.conf: ldap_version 3 base dc=ahpi,dc=org host 127.0.0.1 uri ldap://localhost rootbinddn cn=manager,dc=ahpi,dc=org scope sub pam_password ssha nss_schema rfc2307bis nss_map_attribute uniqueMember member
/etc/pam_ldap.conf ldap_version 3 base dc=ahpi,dc=org uri ldap://localhost rootbinddn cn=manager,dc=ahpi,dc=org pam_password ssha nss_schema rfc2307bis nss_map_attribute uniqueMember member
I also tried to use a different attrset:
dynlist-attrset posixGroup labeledURI memberUid:uid
From some maillist archives I had the impression that the approach above could solve it, I then removed the nss_schema and nss_map_attribute from libnss-ldap and pam_ldap but it didn't seem to work (the query was OK).
It seems to me that something is wrong with my libnss/pam configuration, but it would be great if somebody else could confirm it. Thanks in advance. :-)
Kind regards, - -- Felipe Augusto van de Wiel felipe.wiel@hpp.org.br Tecnologia da Informação (TI) - Complexo Pequeno Príncipe http://www.pequenoprincipe.org.br/ T: +55 41 3310 1747