On Mon, Jun 7, 2010 at 4:44 AM, Stuart Cherrington < stuart_cherrington@hotmail.co.uk> wrote:
Date: Sat, 5 Jun 2010 11:39:22 -0700 From: hyc@symas.com To: bgmilne@staff.telkomsa.net CC: openldap-technical@openldap.org; jonathan@phillipoux.net;
stuart_cherrington@hotmail.co.uk
Subject: Re: User restriction
Buchan Milne wrote:
On Friday, 4 June 2010 13:47:42 Jonathan Clarke wrote:
On 04/06/2010 11:49, Stuart Cherrington wrote:
As far as I know, "nss_base_passwd" is not a valid keyword in
ldap.conf
for OpenLDAP clients.
If you're configuring this on a Linux server, I think you'll find the equivalent configuration in /etc/libnss_ldap.conf or similar.
Upstream default is /etc/ldap.conf, libnss-ldap.conf is an unnecessary
Debian-
ism.
The upstream default has been an endless source of confusion for the
better
part of a decade. Renaming ala Debian is the right answer.
OK - Thanks for all your comments so far, the whole LDAP structure is starting to become clearer but not as simple as I'd like. As Aron suggested, I used the ldapcompare command to see if I could pull the 'member' information from the schema but it fails.
An ldapsearch shows the following:
ldapsearch -x -b 'ou=auth,dc=ldn,dc=sw,dc=com' -h 10.2.250.15 -D cn=proxyagent,ou=profile,dc=ldn,dc=sw,dc=com -w xxxxxx # extended LDIF # # LDAPv3 # base <ou=auth,dc=ldn,dc=sw,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# auth, ldn.sw.com dn: ou=auth,dc=ldn,dc=sw,dc=com ou: auth objectClass: organizationalUnit objectClass: top
# access, auth, ldn.sw.com dn: cn=access,ou=auth,dc=ldn,dc=sw,dc=com objectClass: groupOfNames objectClass: top cn: access member: uid=stuart,ou=people,dc=ldn,dc=sw,dc=com member: cn=proxyagent,ou=profile,dc=ldn,dc=sw,dc=com member: uid=rpratt,ou=people,dc=ldn,dc=sw,dc=com member: uid=jason,ou=people,dc=ldn,dc=sw,dc=com member: uid=pstuart,ou=people,dc=ldn,dc=sw,dc=com member: uid=pfield,ou=people,dc=ldn,dc=sw,dc=com member: uid=nereelot,ou=people,dc=ldn,dc=sw,dc=com member: uid=scolebro,ou=people,dc=ldn,dc=sw,dc=com member: uid=bpower,ou=people,dc=ldn,dc=sw,dc=com member: uid=ihunt,ou=people,dc=ldn,dc=sw,dc=com member: uid=emoreton,ou=people,dc=ldn,dc=sw,dc=com member: uid=lcable,ou=people,dc=ldn,dc=sw,dc=com member: uid=pmurray,ou=people,dc=ldn,dc=sw,dc=com
# search result search: 2 result: 0 Success
You can clearly see the first Member line is myself. If I now try:
ldapcompare2.4 -v -x -h 10.2.250.15 -D cn=proxyagent,ou=profile,dc=ldn,dc=sw,dc=com -w xxxxxxxx "ou=auth,dc=ldn,dc=sw,dc=com" member:uid=stuart,ou=people,dc=ldn,dc=sw,dc=com
ldap_initialize( ldap://10.2.250.15 ) DN:ou=auth,dc=ldn,dc=sw,dc=com, attr:member, value:uid=stuart,ou=people,dc=ldn,dc=sw,dc=com Compare Result: No such attribute (16) UNDEFINED
Any pointers here would be useful.
Thanks,
Stuart.
Get a new e-mail account with Hotmail - Free. Sign-up now.http://clk.atdmt.com/UKM/go/197222280/direct/01/
I suggest reading these two threads and it might answer your question.
First Thread: http://www.openldap.org/lists/openldap-technical/200912/msg00022.html
Continuation of First Thread: http://www.openldap.org/lists/openldap-technical/201006/msg00018.html
Sorry for not re-typing all of that but i have other things to be doing this morning.
- Adam