9:43 a.m.
Hi,
I have problems with debian etch Linux clients resolving group names
served by our LDAP server. user and passwd work because I can login
properly.
"getent group" properly shows the group served by the LDAP server.
eg: #getent group
mygroup:x:1000:chris
However "id username" only shows LDAP served groupIDs but not their names.
eg: #id chris
uid=1002(chris) gid=1000 groups=1000,20(dialout)
This means that I can't do things like chgrp eg: "chgroup mygroup
directoryname" gives:
"chgrp: invalid group `mygroup'"
I am using nscd and nsswitch.conf says:
passwd: files ldap
group: files ldap
shadow: files ldap
Any ideas?
Thanks!
--
Christian Weihrauch,
The University of Reading
10:04 a.m.
In your /etc/libnss-ldap.conf do you have
pam_groupdn ou=Groups,dc=example,dc=com
pam_member_attribute uniquemember
nss_base_group ou=Group,dc=example,dc=com?one
set? Those have bitten me in the past. You should also
check /etc/pam_ldap.conf
Pat
On Fri, 2008-02-29 at 17:43 +0000, Christian Weihrauch wrote:
Hi,
I have problems with debian etch Linux clients resolving group names
served by our LDAP server. user and passwd work because I can login
properly.
"getent group" properly shows the group served by the LDAP server.
eg: #getent group
mygroup:x:1000:chris
However "id username" only shows LDAP served groupIDs but not their names.
eg: #id chris
uid=1002(chris) gid=1000 groups=1000,20(dialout)
This means that I can't do things like chgrp eg: "chgroup mygroup
directoryname" gives:
"chgrp: invalid group `mygroup'"
I am using nscd and nsswitch.conf says:
passwd: files ldap
group: files ldap
shadow: files ldap
Any ideas?
Thanks!
1:34 p.m.
Hi Pat,
On 29 Feb 2008, at 18:04, Pat Riehecky wrote:
In your /etc/libnss-ldap.conf do you have
pam_groupdn ou=Groups,dc=example,dc=com
pam_member_attribute uniquemember
nss_base_group ou=Group,dc=example,dc=com?one
I don't have any pam_* settings enabled.
I have tried with and without nss_base_group with no luck.
set? Those have bitten me in the past. You should also
check /etc/pam_ldap.conf
Here I didn't try the pam_groupdn because I didn't wan to enforce a
group membership.
Thanks!
Chris
Pat
On Fri, 2008-02-29 at 17:43 +0000, Christian Weihrauch wrote:
> Hi,
>
> I have problems with debian etch Linux clients resolving group names
> served by our LDAP server. user and passwd work because I can login
> properly.
> "getent group" properly shows the group served by the LDAP server.
> eg: #getent group
> mygroup:x:1000:chris
>
> However "id username" only shows LDAP served groupIDs but not their
> names.
> eg: #id chris
> uid=1002(chris) gid=1000 groups=1000,20(dialout)
>
> This means that I can't do things like chgrp eg: "chgroup mygroup
> directoryname" gives:
> "chgrp: invalid group `mygroup'"
>
> I am using nscd and nsswitch.conf says:
> passwd: files ldap
> group: files ldap
> shadow: files ldap
>
> Any ideas?
>
> Thanks!
1:06 a.m.
On Friday 29 February 2008 19:43:30 Christian Weihrauch wrote:
Hi,
I have problems with debian etch Linux clients resolving group names
served by our LDAP server. user and passwd work because I can login
properly.
Do you have other clients which work correctly?
"getent group" properly shows the group served by the LDAP
server.
eg: #getent group
mygroup:x:1000:chris
So, resolving group names actually works.
However "id username" only shows LDAP served groupIDs but
not their names.
eg: #id chris
uid=1002(chris) gid=1000 groups=1000,20(dialout)
This means that I can't do things like chgrp eg: "chgroup mygroup
directoryname" gives:
"chgrp: invalid group `mygroup'"
I would stop nscd first, and test again.
I am using nscd and nsswitch.conf says:
(note that nsswitch doesn't have that much to do with nscd ... but nscd can
make changes in nsswitch.conf take longer to apply, due to caching)
passwd: files ldap
group: files ldap
shadow: files ldap
I assume both the above commands (getent group, and id chris) were run as the
same user, if not, you should specify if they were run as root or not in each
case, as this could be a binddn/anonymous vs rootbinddn issue.
Regards,
Buchan
2:41 a.m.
Hi Buchan,
Buchan Milne wrote:
On Friday 29 February 2008 19:43:30 Christian Weihrauch wrote:
> Hi,
>
> I have problems with debian etch Linux clients resolving group names
> served by our LDAP server. user and passwd work because I can login
> properly.
Do you have other clients which work correctly?
No, I have 3 nodes which show the
same problem. Having said that they
are all debian etch with the same config.
> "getent group" properly shows the group served by the LDAP server.
> eg: #getent group
> mygroup:x:1000:chris
So, resolving group names actually works.
Yes.
> However "id username" only shows LDAP served groupIDs but not their names.
> eg: #id chris
> uid=1002(chris) gid=1000 groups=1000,20(dialout)
>
> This means that I can't do things like chgrp eg: "chgroup mygroup
> directoryname" gives:
> "chgrp: invalid group `mygroup'"
I would stop nscd first, and test again.
Tried that with no luck.
> I am using nscd and nsswitch.conf says:
(note that nsswitch doesn't have that much to do with nscd ... but nscd can
make changes in nsswitch.conf take longer to apply, due to caching)
> passwd: files ldap
> group: files ldap
> shadow: files ldap
I assume both the above commands (getent group, and id chris) were run as the
same user, if not, you should specify if they were run as root or not in each
case, as this could be a binddn/anonymous vs rootbinddn issue.
Makes no difference
in my case root/user with/without nscd all the same
outcome.
Thanks!
Chris
--
Christian Weihrauch, M.Sc., Dipl.-Ing. (FH)
Research Assistant
ACET Centre
School of System Engineering
The University of Reading
Philip Lyle Building
Whiteknights, PO Box 68
Reading, RG6 6BX, UK
---------------------------------------------------------------------
Email: c.weihrauch(a)reading.ac.uk
Tel: +44 (0)118 378 7645
Fax: +44 (0)118 378 5224
WWW: http://acet.rdg.ac.uk/~cw/
---------------------------------------------------------------------
Department web-site: http://www.sse.rdg.ac.uk/
---------------------------------------------------------------------
5690
days inactive
5693
days old
openldap-technical@openldap.org
4 comments
3 participants
participants (3)
-
Buchan Milne -
Christian Weihrauch -
Pat Riehecky