Thanks for your reply claus

My problem is that I only see the primary group without the supplementary ones, whenever the groups are stored in the LDAP if the user is in the ldap server.

If the user is local (defined in /etc/passwd)I can see the primary group and suplementary groups without a problem(these groups are local also)... I have some groups stored only on the ldap server, and others locally. for example:

the jbosstest user is defined in the ldap server only, and is member of the groups ldaptest and mysql(also defined only on the ldap server). when I use the command id I get:

# id jbosstest uid=7000(jbosstest) gid=7002(ldaptest) groups=7002(ldaptest)

id never shows me the supplementary group mysql...

Any ideas?

Saludos,

Oskar Kossuth Administrador UNIX ANTEL Telecomunicaciones

-----Mensaje original----- De: openldap-technical-bounces+okossuth=antel.com.uy@OpenLDAP.org [mailto:openldap-technical-bounces+okossuth=antel.com.uy@OpenLDAP.org] En nombre de Kick, Claus Enviado el: Wednesday, December 17, 2008 4:56 AM Para: openldap-technical@openldap.org Asunto: AW: Unix id command and Openldap

Hello Oskar,

Hi Does the id command works with a system using OPENLDAP authentication ?

Yes.

I have implemented a server with openldap 2.4 and several clients use

this system to authenticate

users, and works fine except that when I do a "id user" on a client it

only gives me the information of the primary

group which the user belongs to and not of the suplementary groups that

he is also a member of in the LDAP server...

So you mean you only see OS-groups when using "id"?

any ideas??

It appears as if an ACL is not set properly. How/Where are your groups stored in the ldap backend?

El presente correo y cualquier posible archivo adjunto está dirigido únicamente al destinatario del mensaje y contiene información que puede ser confidencial. Si Ud. no es el destinatario correcto por favor notifique al remitente respondiendo anexando este mensaje y elimine inmediatamente el e-mail y los posibles archivos adjuntos al mismo de su sistema. Está prohibida cualquier utilización, difusión o copia de este e-mail por cualquier persona o entidad que no sean las específicas destinatarias del mensaje. ANTEL no acepta ninguna responsabilidad con respecto a cualquier comunicación que haya sido emitida incumpliendo nuestra Política de Seguridad de la Información. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . This e-mail and any attachment is confidential and is intended solely for the addressee(s). If you are not intended recipient please inform the sender immediately, answering this e-mail and delete it as well as the attached files. Any use, circulation or copy of this e-mail by any person or entity that is not the specific addressee(s) is prohibited. ANTEL is not responsible for any communication emitted without respecting our Information Security Policy.

Hi

im sending you the /etc/ldap.conf and /etc/nsswitch.conf of the client.

thanks for your help

Saludos,

Oskar Kossuth Administrador UNIX ANTEL Telecomunicaciones

-----Mensaje original----- De: openldap-technical-bounces+okossuth=antel.com.uy@OpenLDAP.org [mailto:openldap-technical-bounces+okossuth=antel.com.uy@OpenLDAP.org] En nombre de Andrew Findlay Enviado el: Wednesday, December 17, 2008 2:00 PM Para: Kossuth Espinosa, Oskar CC: openldap-technical@openldap.org; claus.kick@siemens.com Asunto: Re: Unix id command and Openldap

On Wed, Dec 17, 2008 at 02:20:40PM -0200, okossuth@antel.com.uy wrote:

My problem is that I only see the primary group without the supplementary ones, whenever the groups are stored in the LDAP if the user is in the ldap server.

This sounds more like an NSS problem than a purely OpenLDAP one, so you may get more help by posting to nssldap@padl.com.

Please post the 'passwd' and 'group' lines from /etc/nsswitch.conf and also the /etc/ldap.conf file (with passwords obscured).

It would also be worth running slapd at debug level 768 and posting what gets logged when you run the 'id' command.

Andrew

Hi

I get this when searching the jbosstest user defined on the ldap server

conn=896 fd=41 ACCEPT from IP=127.0.0.1:47131 (IP=0.0.0.0:389) conn=896 op=0 BIND dn="" method=128 conn=896 op=0 RESULT tag=97 err=0 text= # extended LDIF # # LDAPv3 # base <ou=Grupos,ou=Teleinformatica,dc=vmlx-ldapauth-test,dc=in.iantel.com.uy> with scope subtree # filter: (memberUID=jbosstest) # requesting: ALL #

conn=896 op=1 SRCH base="ou=Grupos,ou=Teleinformatica,dc=vmlx-ldapauth-test,dc=in.iantel.com.uy" scope=2 deref=0 filter="(memberUid=jbosstest)" conn=896 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= # search result search: 2 result: 0 Success

# numResponses: 1 vmlx-ldapauth-test:/etc/openldap # conn=896 op=2 UNBIND conn=896 fd=41 closed ()

And I get this when I search the group mysql defined on the ldap server too:

vmlx-ldapauth-test:/home/okossuth # ldapsearch -x -D 'cn=admin,dc=vmlx-ldapauth-test,dc=in.iantel.com.uy' -W -b 'ou=Teleinformatica,dc=vmlx-ldapauth-test,dc=in.iantel.com.uy' cn=mysql Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=Teleinformatica,dc=vmlx-ldapauth-test,dc=in.iantel.com.uy> with scope subtree # filter: cn=mysql # requesting: ALL #

# mysql, Grupos, Teleinformatica, vmlx-ldapauth-test.in.iantel.com.uy dn: cn=mysql,ou=Grupos,ou=Teleinformatica,dc=vmlx-ldapauth-test,dc=in.iantel.c om.uy cn: mysql objectClass: posixGroup objectClass: namedObject objectClass: top description: gdodera gidNumber: 4620 memberUid: gdodera memberUid: jbosstest

# search result search: 2 result: 0 Success

# numResponses: 2 # numEntries: 1

thanks for your help!

Saludos,

Oskar Kossuth Administrador UNIX ANTEL Telecomunicaciones

-----Mensaje original----- De: Andrew Findlay [mailto:andrew.findlay@skills-1st.co.uk] Enviado el: Wednesday, December 17, 2008 3:50 PM Para: Kossuth Espinosa, Oskar CC: claus.kick@siemens.com; openldap-technical@openldap.org Asunto: Re: Unix id command and Openldap

On Wed, Dec 17, 2008 at 03:40:54PM -0200, okossuth@antel.com.uy wrote:

im sending you the /etc/ldap.conf and /etc/nsswitch.conf of the client.

OK - from a quick scan of those I would expect a group lookup to be roughly equivalent to this search:

ldapsearch -x -b \ "ou=Grupos,ou=Teleinformatica,dc=vmlx-ldapauth-test,dc=in.iantel.com.uy" \ '(memberUID=XXX)'

where XXX is the username of a user that appears in some group.

What do you get if you try that search? Could you post a typical entry from the ou=Grupos,ou=Teleinformatica,dc=vmlx-ldapauth-test,dc=in.iantel.com.uy area?

It would still be useful to post the log output when running slapd with loglevel 768 (stats + stats2)

Andrew

1. yes you are right, i dont need authentication 2. i commented out those lines but still i dont get supplemantray groups defined on the ldap server by using the id command :(

What else could it be?

Saludos,

Oskar Kossuth E.

Administrador Unix okossuth@servicios.antel.com.uy ANTEL telecomunicaciones

-----Mensaje original----- De: openldap-technical-bounces+okossuth=antel.com.uy@OpenLDAP.org en nombre de Christian Marg Enviado el: jue 12/18/2008 3:45 Para: Kossuth Espinosa, Oskar CC: claus.kick@siemens.com; andrew.findlay@skills-1st.co.uk; openldap-technical@openldap.org Asunto: Re: Unix id command and Openldap

Hello,

okossuth@antel.com.uy wrote: [...]

vmlx-ldapauth-test:/home/okossuth # ldapsearch -x -D 'cn=admin,dc=vmlx-ldapauth-test,dc=in.iantel.com.uy' -W -b 'ou=Teleinformatica,dc=vmlx-ldapauth-test,dc=in.iantel.com.uy' cn=mysql

[...]

So, from what I see, the needed LDAP entries are there, but:

1. Do you need authentication to list the groups? Eg. try that without the "-D" and "-W", because you don't specify a bindDN and bindPW in the "ldap.conf" file. 2. In the "ldap.conf" file there are two lines, "nss_map_attributes" and "nss_map_objectclass" which aren't commented out and _might_ confuse things for nss_ldap.

bye Christian