Problems with nss_ldap and group membership
Nalin Dahyabhai
nalin at redhat.com
Fri May 7 18:30:54 UTC 2004
On Fri, May 07, 2004 at 09:58:26AM -0400, Gary Molenkamp wrote:
> I'm testing nss_ldap under FC2t3 and have run into a problem with using
> groups under nss_ldap.
>
> In my ldap server I have:
>
> cn=A,ou=Person,dc=exmaple,dc=com
> uidNumber: 130000
> gidNumber: 130000
>
> cn=A,ou=Group,dc=exmaple,dc=com
> gidNumber: 130000
>
> cn=App_users,ou=Group,dc=exmaple,dc=com
> gidNumber: 1000
> MemberUID: 130000
>
> I have nsswitch.conf, /etc/pam.d/sshd configured to allow logins, etc.
> Such that:
> getent passwd A
> A:x:130000:500::/home/A:/bin/bash
>
> getent group A
> A:x:130000:
>
> getent group App_user
> App_user:x:1000:130000
>
> The problem is for file access control based on group membership. ie:
>
> drxwrxw--- root App_users /tmp/testing/
>
> is not searchable by user A. Changing group membership of the directory
> to A's primary group works, as does changing ownership of the directory to
> A.
>
> Have I missed something?
The "memberUid" attribute of your posixGroup object should include the
user's login name (the "uid" attribute from the user's posixAccount
object instead of its "uidNumber" attribute). Change "memberUid: 130000"
to "memberUid: A", and it should work.
HTH,
Nalin
More information about the fedora-test-list
mailing list