[Fedora-directory-users] nss_ldap - using full DNs in memberattribute
Stipl, Stepan
sstipl at exstream.com
Mon Jun 4 15:25:46 UTC 2007
Hi,
Just FYI - I managed to solve my problem.
To enable group members specified by full DN, you need to have
following line in ldap.conf
nss_schema rfc2307bis
Actually it's also in manual:
nss_schema <rfc2307bis|rfc2307>
If the value of this option is rfc2307bis then
support for the RFC2307bis schema (distinguished
names in groups) will be enabled.
I hope this may also help to somebody else in the future, thanks
for help to Ashley.
.stepan
-----Original Message-----
From: fedora-directory-users-bounces at redhat.com
[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Stipl,
Stepan
Sent: 04 June, 2007 11:16
To: General discussion list for the Fedora Directory server project.
Subject: RE: [Fedora-directory-users] nss_ldap - using full DNs in
memberattribute
Hi Ashley,
thanks for help.
When I log in to the console under the desired user and try
groups, I don't see the groups from ldap at all - (I think that's
because system thinks that user "uid=jsmith,ou=users,dc=example,dc=com"
is member of this group & not the user "jsmith").
You're writing that it's working fine for you - the problem may
be in what records do you actually have in ldap. AFAIK (and I'm just
newbie in ldap stuff)...
1) you can have group records as
"groupOfNames"/"groupOfUniqueNames" specs. in "RFC 2256", where are the
member records stored in "uniqueMember"/"member" attributes and with
full DN's - with. the uid,ou,dc.. part.
2) or you can have group records as "posixGroup", where
are the members stored in "memberUid" attributes in the short form, ie.
"jsmith".
Second possibility is actually working fine for me, you see
proper usernames in the "getent group" listing, but the first approach -
storing full DN's - makes IMHO much more sense & some other apps.
connected to LDAP requires this form. And I don't want to have special
(duplicated) groups just for linux machines.
Can you confirm that you're using the form where you store the
members in groups as a full DNs? I think there should be way how to
configure pam_ldap/nss_ldap to cut the member record to RDN value, just
that I'm stupid and don't know how to set it up :).
Thanks. .stepan
-----Original Message-----
From: fedora-directory-users-bounces at redhat.com
[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of ashley
Sent: 04 June, 2007 09:52
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] nss_ldap - using full DNs in
member attribute
Thats extremely strange, I've made clients including Fedora,Suse and
Ubuntu bind to the FDS Ldap without a problem like that.
Can you just verify something for me.
ie login via the console or ssh into your client machine ie as jsmith as
in your example and type
groups.
It should just list your groups in the shortform.
ie you should see
testgroup blah blah (all your groups)
as with your example, you shouldn't see the ou,dc bits.
If it does you can remap the lookup / search base usually by editing
ldap.conf which you can find in /etc/ldap.conf most of the time
including
Fedora, SUSE & Ubuntu, but I can't say anything about Gentoo as I've
havn't dealt with it recently.
You should then look at the mappings / lookup ie for nss_base_passwd,
nss_base_shadow, nss_base_group which are the three basic fields with
Linux/Unix.
In your case you would be dealing with nss_base_group.
If you are caching the fields is with nscd you would have to do
the same with nscd.conf.
But still I find that extremely strange.
Regards Ashley
On Fri, 1 Jun 2007, Stipl, Stepan wrote:
> Hi,
>
> I'm trying to setup authentication against Fedora DS on Linux box
> (Gentoo). Everything is working fine, except for one thing - I have
> groups with members in uniqueMember attributes and I have there full
DNs
> - like "uid=sstipl,ou=users,dc=example,dc=com", but the nss expects me
> to have there just logins (uid's value in this case).
>
> So when I do "getent group" I receive something like this from groups
> from LDAP:
>
> testgroup:*:1010:uid=sstipl,ou=users,dc=example,dc=com,
> uid=jsmith,ou=users,dc=example,dc=com
>
> Any idea how to setup probably nss? to use just RND value (uid's in
this
> case) from the uniqueMember attribute? To get this:
> "testgroup:*:1010:sstipl,jsmith"
>
>
>
> many thanks.
>
> .stepan
>
>
>
>
>
> !DSPAM:272,465fdbe081151117595406!
>
--
Ashley Chew - Systems Administrator
School of Computer Science and Software Engineering
University of Western Australia
Tel: (+61 8) 6488 7082 - Fax: (+61 8) 6488 1089
Ashley[@]csse.uwa.edu.au - http://www.csse.uwa.edu.au/~ashley
"There is no such thing as Fate, Fate is what you make of it!"
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
More information about the Fedora-directory-users
mailing list