Date: Sat, 5 Jun 2010 11:39:22 -0700 From: hyc@symas.com To: bgmilne@staff.telkomsa.net CC: openldap-technical@openldap.org; jonathan@phillipoux.net; stuart_cherrington@hotmail.co.uk Subject: Re: User restriction
Buchan Milne wrote:
On Friday, 4 June 2010 13:47:42 Jonathan Clarke wrote:
On 04/06/2010 11:49, Stuart Cherrington wrote:
As far as I know, "nss_base_passwd" is not a valid keyword in ldap.conf for OpenLDAP clients.
If you're configuring this on a Linux server, I think you'll find the equivalent configuration in /etc/libnss_ldap.conf or similar.
Upstream default is /etc/ldap.conf, libnss-ldap.conf is an unnecessary Debian- ism.
The upstream default has been an endless source of confusion for the better part of a decade. Renaming ala Debian is the right answer.
OK - Thanks for all your comments so far, the whole LDAP structure is starting to become clearer but not as simple as I'd like. As Aron suggested, I used the ldapcompare command to see if I could pull the 'member' information from the schema but it fails.
An ldapsearch shows the following:
ldapsearch -x -b 'ou=auth,dc=ldn,dc=sw,dc=com' -h 10.2.250.15 -D cn=proxyagent,ou=profile,dc=ldn,dc=sw,dc=com -w xxxxxx # extended LDIF # # LDAPv3 # base <ou=auth,dc=ldn,dc=sw,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# auth, ldn.sw.com dn: ou=auth,dc=ldn,dc=sw,dc=com ou: auth objectClass: organizationalUnit objectClass: top
# access, auth, ldn.sw.com dn: cn=access,ou=auth,dc=ldn,dc=sw,dc=com objectClass: groupOfNames objectClass: top cn: access member: uid=stuart,ou=people,dc=ldn,dc=sw,dc=com member: cn=proxyagent,ou=profile,dc=ldn,dc=sw,dc=com member: uid=rpratt,ou=people,dc=ldn,dc=sw,dc=com member: uid=jason,ou=people,dc=ldn,dc=sw,dc=com member: uid=pstuart,ou=people,dc=ldn,dc=sw,dc=com member: uid=pfield,ou=people,dc=ldn,dc=sw,dc=com member: uid=nereelot,ou=people,dc=ldn,dc=sw,dc=com member: uid=scolebro,ou=people,dc=ldn,dc=sw,dc=com member: uid=bpower,ou=people,dc=ldn,dc=sw,dc=com member: uid=ihunt,ou=people,dc=ldn,dc=sw,dc=com member: uid=emoreton,ou=people,dc=ldn,dc=sw,dc=com member: uid=lcable,ou=people,dc=ldn,dc=sw,dc=com member: uid=pmurray,ou=people,dc=ldn,dc=sw,dc=com
# search result search: 2 result: 0 Success
You can clearly see the first Member line is myself. If I now try:
ldapcompare2.4 -v -x -h 10.2.250.15 -D cn=proxyagent,ou=profile,dc=ldn,dc=sw,dc=com -w xxxxxxxx "ou=auth,dc=ldn,dc=sw,dc=com" member:uid=stuart,ou=people,dc=ldn,dc=sw,dc=com
ldap_initialize( ldap://10.2.250.15 ) DN:ou=auth,dc=ldn,dc=sw,dc=com, attr:member, value:uid=stuart,ou=people,dc=ldn,dc=sw,dc=com Compare Result: No such attribute (16) UNDEFINED
Any pointers here would be useful.
Thanks,
Stuart.
_________________________________________________________________ http://clk.atdmt.com/UKM/go/197222280/direct/01/ Do you have a story that started on Hotmail? Tell us now