getent / group / LDAP problem

[Pat Riehecky]

On Wed, 2008-05-28 at 13:51 -0400, Ryan Golhar wrote:
> Hi all,
> 
> I have RHEL 5 running as an LDAP server, and am trying to configure a 
> second server to mimic the first one.  I have created multiple groups in 
> LDAP and assigned various users to these groups.  On the second server, 
> running 'id' from the shell doesn't show those secondary groups.

What LDAP product are you using (openldap, FDS, Apache DS, etc)

> 
> I thought there might be something wrong with nsswitch.conf, but 'getent 
> group' is reporting the secondary groups and the users but with a 'x' in 
> the second field:

RHEL provides a nifty lazy tool system-config-authentication which in my
experience works 100% of the time with LDAP.  You may want to give it a
look for the setup bits, it eliminates typos and is all around
successful.

> 
> users:x:500:user1,user2,user3
> 
> whereas on the first server, I see:
> 
> users:*:500:user1,user2,user3

> Why the difference in the second field?

This is just different shadow syntax, both of these point the password
field to gshadow, nothing to worry about

> 
> 'id' doesn't report the secondary groups either.  'id' on the first LDAP 
> server shows something like:
> 
> uid=501(golharam) gid=501(sansuser) 
> groups=500(users),501(sansuser),85(cvs) context=user_u:system_r:unconfined_t
> 
> On the second LDAP server, I get:
> uid=501(golharam) gid=500(users) groups=500(users) 
> context=user_u:system_r:unconfined_t
> 
> There should be a second group as 'cvs' with gid=85.   Does anyone know 
> why I wouldn't see secondary groups in my second LDAP server?

This very much depends on how exactly the entry is listed in your ldap database.


Pat