-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hi,
I'm afraid I'm missing something very simple here and it is likely that the issue is on libnss-ldap and not on OpenLDAP dynlist overlay, I just want to make sure everything is fine regarding OpenLDAP configuration.
I'm using Debian 5.0 (Lenny) and OpenLDAP 2.4.11 (Debian packaged version). I'm also using rfc2307bis and I would like to have a dynamic group with all non-disabled Samba users. Not sure if it is recommended to send the full slapd.conf, so I'm just sending the parts I added in order to have the dynlist/"dynamic group".
/etc/ldap/slapd.conf: include /etc/ldap/schema/dyngroup.schema ... overlay dynlist dynlist-attrset posixGroup labeledURI member
$ ldapsearch -x cn=active-samba-users dn: cn=active-samba-users,ou=Groups,dc=ahpi,dc=org objectClass: top objectClass: groupOfNames objectClass: posixGroup objectClass: sambaGroupMapping objectClass: labeledURIObject cn: active-samba-users gidNumber: 999 sambaSID: S-1-5-21-1234567899-1234567899-123456789-2999 sambaGroupType: 2 displayName: active samba users labeledURI: ldap:///ou=People,?uid?sub?(&(objectClass=posixAccount)(objectClass=sambaSAMAccount)(!(sambaAcctFlags=*D*)))
When I run the search above I do get the expected results, several 'member' fields are added to the response:
member: uid=userA,ou=People,dc=ahpi,dc=org member: uid=userB,ou=People,dc=ahpi,dc=org
The problem, is that I would expect and 'id userA' to include group 'active-samba-users' but it doesn't. But 'getent group active-samba-users' includes all the users:
active-samba-users:*:999:userA,userB
Am I doing something wrong or missing something obvious? Below are the complete version of libnss-ldap.conf and pam_ldap.conf
/etc/libnss-ldap.conf: ldap_version 3 base dc=ahpi,dc=org host 127.0.0.1 uri ldap://localhost rootbinddn cn=manager,dc=ahpi,dc=org scope sub pam_password ssha nss_schema rfc2307bis nss_map_attribute uniqueMember member
/etc/pam_ldap.conf ldap_version 3 base dc=ahpi,dc=org uri ldap://localhost rootbinddn cn=manager,dc=ahpi,dc=org pam_password ssha nss_schema rfc2307bis nss_map_attribute uniqueMember member
I also tried to use a different attrset:
dynlist-attrset posixGroup labeledURI memberUid:uid
From some maillist archives I had the impression that the approach above could solve it, I then removed the nss_schema and nss_map_attribute from libnss-ldap and pam_ldap but it didn't seem to work (the query was OK).
It seems to me that something is wrong with my libnss/pam configuration, but it would be great if somebody else could confirm it. Thanks in advance. :-)
Kind regards, - -- Felipe Augusto van de Wiel felipe.wiel@hpp.org.br Tecnologia da Informação (TI) - Complexo Pequeno Príncipe http://www.pequenoprincipe.org.br/ T: +55 41 3310 1747
Felipe Augusto van de Wiel felipe.wiel@hpp.org.br writes:
Hi,
I'm afraid I'm missing something very simple here and it is likely that the issue is on libnss-ldap and not on OpenLDAP dynlist overlay, I just want to make sure everything is fine regarding OpenLDAP configuration.
I'm using Debian 5.0 (Lenny) and OpenLDAP 2.4.11 (Debian packaged version). I'm also using rfc2307bis and I would like to have a dynamic group with all non-disabled Samba users. Not sure if it is recommended to send the full slapd.conf, so I'm just sending the parts I added in order to have the dynlist/"dynamic group".
/etc/ldap/slapd.conf: include /etc/ldap/schema/dyngroup.schema ... overlay dynlist dynlist-attrset posixGroup labeledURI member
$ ldapsearch -x cn=active-samba-users dn: cn=active-samba-users,ou=Groups,dc=ahpi,dc=org objectClass: top objectClass: groupOfNames objectClass: posixGroup objectClass: sambaGroupMapping objectClass: labeledURIObject cn: active-samba-users gidNumber: 999 sambaSID: S-1-5-21-1234567899-1234567899-123456789-2999 sambaGroupType: 2 displayName: active samba users labeledURI: ldap:///ou=People,?uid?sub?(&(objectClass=posixAccount)(objectClass=sambaSAMAccount)(!(sambaAcctFlags=*D*)))
When I run the search above I do get the expected results, several 'member' fields are added to the response:
member: uid=userA,ou=People,dc=ahpi,dc=org member: uid=userB,ou=People,dc=ahpi,dc=org
That is what the dynlist overlay and the labeledURI attribute value provide, according to your configuration.
The problem, is that I would expect and 'id userA' to include group 'active-samba-users' but it doesn't. But 'getent group active-samba-users' includes all the users:
active-samba-users:*:999:userA,userB
[...]
modify the dynlist overlay configuration and rewrite the labeledURI attribute value in order to match your requirements.
-Dieter
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Thanks for replying. :-)
On 20-05-2010 12:07, Dieter Kluenter wrote:
Felipe Augusto van de Wiel felipe.wiel@hpp.org.br writes:
[...]
The problem, is that I would expect and 'id userA' to include group 'active-samba-users' but it doesn't. But 'getent group active-samba-users' includes all the users:
active-samba-users:*:999:userA,userB
[...]
modify the dynlist overlay configuration and rewrite the labeledURI attribute value in order to match your requirements.
Well, that's kind of the problem, as I understood it, everything is just fine, the dynlist is working and adding the member fields as expected, the 'getent group' return the users equivalent to "dyngroup" and respective filter, but 'id' and the rest of the system, for some that reason that I'm obviously missing, doesn't seem the users as part of the group, although the group list the user in it. :-(
Kind regards, - -- Felipe Augusto van de Wiel felipe.wiel@hpp.org.br Tecnologia da Informação (TI) - Complexo Pequeno Príncipe http://www.pequenoprincipe.org.br/ T: +55 41 3310 1747
Felipe Augusto van de Wiel felipe.wiel@hpp.org.br writes:
Thanks for replying. :-)
On 20-05-2010 12:07, Dieter Kluenter wrote:
Felipe Augusto van de Wiel felipe.wiel@hpp.org.br writes:
[...]
The problem, is that I would expect and 'id userA' to include group 'active-samba-users' but it doesn't. But 'getent group active-samba-users' includes all the users:
active-samba-users:*:999:userA,userB
[...]
modify the dynlist overlay configuration and rewrite the labeledURI attribute value in order to match your requirements.
Well, that's kind of the problem, as I understood it, everything is just fine, the dynlist is working and adding the member fields as expected, the 'getent group' return the users equivalent to "dyngroup" and respective filter, but 'id' and the rest of the system, for some that reason that I'm obviously missing, doesn't seem the users as part of the group, although the group list the user in it. :-(
I see, so this is more a nss and pam problem than a openldap issue. You may try the nssov overlay, see man slapo-nssov(5), although I have no vital experience with this overlay.
-Dieter
openldap-technical@openldap.org
-
Dieter Kluenter -
Felipe Augusto van de Wiel