6:53 p.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi,
I'm afraid I'm missing something very simple
here and it is likely that the issue is on libnss-ldap
and not on OpenLDAP dynlist overlay, I just want to make
sure everything is fine regarding OpenLDAP configuration.
I'm using Debian 5.0 (Lenny) and OpenLDAP 2.4.11
(Debian packaged version). I'm also using rfc2307bis and
I would like to have a dynamic group with all non-disabled
Samba users. Not sure if it is recommended to send the
full slapd.conf, so I'm just sending the parts I added in
order to have the dynlist/"dynamic group".
/etc/ldap/slapd.conf:
include /etc/ldap/schema/dyngroup.schema
...
overlay dynlist
dynlist-attrset posixGroup labeledURI member
$ ldapsearch -x cn=active-samba-users
dn: cn=active-samba-users,ou=Groups,dc=ahpi,dc=org
objectClass: top
objectClass: groupOfNames
objectClass: posixGroup
objectClass: sambaGroupMapping
objectClass: labeledURIObject
cn: active-samba-users
gidNumber: 999
sambaSID: S-1-5-21-1234567899-1234567899-123456789-2999
sambaGroupType: 2
displayName: active samba users
labeledURI:
ldap:///ou=People,?uid?sub?(&(objectClass=posixAccount)(objectClass=sambaSAMAccount)(!(sambaAcctFlags=*D*)))
When I run the search above I do get the
expected results, several 'member' fields are
added to the response:
member: uid=userA,ou=People,dc=ahpi,dc=org
member: uid=userB,ou=People,dc=ahpi,dc=org
The problem, is that I would expect and
'id userA' to include group 'active-samba-users'
but it doesn't. But 'getent group active-samba-users'
includes all the users:
active-samba-users:*:999:userA,userB
Am I doing something wrong or missing
something obvious? Below are the complete version
of libnss-ldap.conf and pam_ldap.conf
/etc/libnss-ldap.conf:
ldap_version 3
base dc=ahpi,dc=org
host 127.0.0.1
uri ldap://localhost
rootbinddn cn=manager,dc=ahpi,dc=org
scope sub
pam_password ssha
nss_schema rfc2307bis
nss_map_attribute uniqueMember member
/etc/pam_ldap.conf
ldap_version 3
base dc=ahpi,dc=org
uri ldap://localhost
rootbinddn cn=manager,dc=ahpi,dc=org
pam_password ssha
nss_schema rfc2307bis
nss_map_attribute uniqueMember member
I also tried to use a different attrset:
dynlist-attrset posixGroup labeledURI memberUid:uid
From some maillist archives I had the impression
that the approach above could solve it, I then removed
the nss_schema and nss_map_attribute from libnss-ldap and
pam_ldap but it didn't seem to work (the query was OK).
It seems to me that something is wrong with my
libnss/pam configuration, but it would be great if
somebody else could confirm it. Thanks in advance. :-)
Kind regards,
- --
Felipe Augusto van de Wiel <felipe.wiel(a)hpp.org.br>
Tecnologia da Informação (TI) - Complexo Pequeno Príncipe
http://www.pequenoprincipe.org.br/ T: +55 41 3310 1747
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBCgAGBQJL9JYHAAoJECCPPxLgxLxPv3gP/ip9seR1fhhLvrTwQ9OlfdjL
iRk3nU9iPj5JtzwDHiOl872CTdZuI7Hbh4bCAe61Ix7Ai8Sz0nZsaBJRu2L+4K9W
4qY2lLAChn1k/R//9pnWxSi3zRInL6aMIXWWPqxLI5cmN9zht6Z0YQp/Uf5tkoez
q16nXSklJTJFJEAaEbhR5oxVo0vAGAl8zMdU8aZ1OicsdaVG4e0gzTtaCet6Yyvf
lCt7M1S3TNW4emebysKML+lbC6MdCAdUiRn0TzN3RL7v/42YZQX7k/nL2ZWKhIEn
jTkB5AzH4G1SjMTjq2yl3x7JGjFEmgPIDVTHcXfZj8mho6VaHmfR2QLGY6Mmt6/E
7ATQsYe57qNhTW5XhrUadd/5M+jCHkFe6mfKALbYhmj4Yjj1cXUxLTh4g4AYtWbL
qKd+haYf8cFDoDDBvf/bQQBe8tlM0ZRLkbqliy6I0+VZGoWkGButwM0TVjSPnin5
h7by/m3cgRFuRf2qZEafCoCzsVExN8wLKkzo9VHDx9ZxvA0KJ6QEQl52s5w+DkmF
CxyjTkRWPYi6mpzj9+nK0l8wbTeq+GLV2qvldPt+QIPyWDVOrnzJofkJK36Huhzs
7siOd8SI2uSSZwrRESaNWl/Wjyf0DAUhXOHUYqpGBIg9yiWHCKWr/A0EhOVOEWwb
CyPGFEw88YJq8dD89pdb
=Icjy
-----END PGP SIGNATURE-----
8:07 a.m.
Felipe Augusto van de Wiel <felipe.wiel(a)hpp.org.br> writes:
Hi,
I'm afraid I'm missing something very simple
here and it is likely that the issue is on libnss-ldap
and not on OpenLDAP dynlist overlay, I just want to make
sure everything is fine regarding OpenLDAP configuration.
I'm using Debian 5.0 (Lenny) and OpenLDAP 2.4.11
(Debian packaged version). I'm also using rfc2307bis and
I would like to have a dynamic group with all non-disabled
Samba users. Not sure if it is recommended to send the
full slapd.conf, so I'm just sending the parts I added in
order to have the dynlist/"dynamic group".
/etc/ldap/slapd.conf:
include /etc/ldap/schema/dyngroup.schema
...
overlay dynlist
dynlist-attrset posixGroup labeledURI member
$ ldapsearch -x cn=active-samba-users
dn: cn=active-samba-users,ou=Groups,dc=ahpi,dc=org
objectClass: top
objectClass: groupOfNames
objectClass: posixGroup
objectClass: sambaGroupMapping
objectClass: labeledURIObject
cn: active-samba-users
gidNumber: 999
sambaSID: S-1-5-21-1234567899-1234567899-123456789-2999
sambaGroupType: 2
displayName: active samba users
labeledURI:
ldap:///ou=People,?uid?sub?(&(objectClass=posixAccount)(objectClass=sambaSAMAccount)(!(sambaAcctFlags=*D*)))
When I run the search above I do get the
expected results, several 'member' fields are
added to the response:
member: uid=userA,ou=People,dc=ahpi,dc=org
member: uid=userB,ou=People,dc=ahpi,dc=org
That is what the dynlist overlay and the labeledURI attribute value
provide, according to your configuration.
The problem, is that I would expect and
'id userA' to include group 'active-samba-users'
but it doesn't. But 'getent group active-samba-users'
includes all the users:
active-samba-users:*:999:userA,userB
[...]
modify the dynlist overlay configuration and rewrite the labeledURI
attribute value in order to match your requirements.
-Dieter
--
Dieter Klünter | Systemberatung
sip: +49.40.20932173
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6
5:59 p.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Thanks for replying. :-)
On 20-05-2010 12:07, Dieter Kluenter wrote:
Felipe Augusto van de Wiel <felipe.wiel(a)hpp.org.br> writes:
[...]
> The problem, is that I would expect and
> 'id userA' to include group 'active-samba-users'
> but it doesn't. But 'getent group active-samba-users'
> includes all the users:
>
> active-samba-users:*:999:userA,userB
[...]
modify the dynlist overlay configuration and rewrite the
labeledURI attribute value in order to match your
requirements.
Well, that's kind of the problem, as I understood
it, everything is just fine, the dynlist is working and
adding the member fields as expected, the 'getent group'
return the users equivalent to "dyngroup" and respective
filter, but 'id' and the rest of the system, for some that
reason that I'm obviously missing, doesn't seem the users
as part of the group, although the group list the user in
it. :-(
Kind regards,
- --
Felipe Augusto van de Wiel <felipe.wiel(a)hpp.org.br>
Tecnologia da Informação (TI) - Complexo Pequeno Príncipe
http://www.pequenoprincipe.org.br/ T: +55 41 3310 1747
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBCgAGBQJL9yxlAAoJECCPPxLgxLxP81EP/j3UwwjSRd2G+z0VoXbX/IH6
Ir2/Ms4N4xCaH9LoyG4DiYJJ/g4zGkUL6lUjReT5JmBUDdveXm/bqNh465IT0vaW
BfWcZsmkC+nxv11I5TWFpc7pTccvK5BlKOl2xGgGhlkA83aW/0ChzShgeUvsdg0B
hen6omZ1eq0TqwLpZRxZmhvkzx9oEbijOGJjA32GQHeC9lJ4YRJPGo6V1bOYSBKP
XCo/VL/0mYrijM47b8enY4ajw/twt9OPyETA2c1Dy/qxJBPkyFSguCqO1P2G4j0c
kdEqdAh8HAonPWryBfIJgcmlOxwsXlRq33Gwrp2sgWtsAAuaxbQWHoUkkGOJcxgv
RsKHAFcOvaNA/YJbQCmquvPm0P5Oy3/c/+Nwtk3oJHVoU0e6VoRggUyVu/gXvt52
jRpACDT0Dfxj5H2ALJOmTtpJazZ+pSRq7UTJCM5Ay5LL8hPjPOdL8mwAXlrmMIXG
TxiPLAr0DbTG1NiB2c3pWTj1aw04DP0dKt6ar6LISC0Y4VSIgwrKg22KPlCCoyZc
LCpCi0stsd8HNbtQH3iwYjyjykBGNeef4Y1Q15lRj5S/h0ITZKni2SGwAYLeRTA2
SNjg9vR2eW5nHTNjZUHKWXD2coG2TkGzkMzuk9Pl+HIfNtHkILRci+zDv5iFabVv
+2c0CqXNFWzsJJxIP2HX
=8mV4
-----END PGP SIGNATURE-----
11:14 a.m.
Felipe Augusto van de Wiel <felipe.wiel(a)hpp.org.br> writes:
Thanks for replying. :-)
On 20-05-2010 12:07, Dieter Kluenter wrote:
> Felipe Augusto van de Wiel <felipe.wiel(a)hpp.org.br> writes:
[...]
>> The problem, is that I would expect and
>> 'id userA' to include group 'active-samba-users'
>> but it doesn't. But 'getent group active-samba-users'
>> includes all the users:
>>
>> active-samba-users:*:999:userA,userB
> [...]
>
> modify the dynlist overlay configuration and rewrite the
> labeledURI attribute value in order to match your
> requirements.
Well, that's kind of the problem, as I understood
it, everything is just fine, the dynlist is working and
adding the member fields as expected, the 'getent group'
return the users equivalent to "dyngroup" and respective
filter, but 'id' and the rest of the system, for some that
reason that I'm obviously missing, doesn't seem the users
as part of the group, although the group list the user in
it. :-(
I see, so this is more a nss and pam problem than a openldap
issue. You may try the nssov overlay, see man slapo-nssov(5), although
I have no vital experience with this overlay.
-Dieter
--
Dieter Klünter | Systemberatung
sip: +49.40.20932173
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6
4937
days inactive
4940
days old
openldap-technical@openldap.org
3 comments
2 participants
participants (2)
-
Dieter Kluenter -
Felipe Augusto van de Wiel