I hate people who contradict themselves with follow up emails. On this occasion however...
Since writing my earlier email I've done some digging around. What I have found is that nss_ldap can use uniqueMember attributes as an alternative to memberUid attributes. The rub is that the standard structure for posixGroup doesn't allow combination with groupOfUniqueNames and groupOfUniqueNames isn't what it sounds like anyway, and uniqueMember is also not the attribute you should be using. However, if you were to tweak the schema for posixGroup to make it an auxiliary class as per rfc2307bis (an expired proposal http://ietfreport.isoc.org/idref/draft-howard-rfc2307bis/) and use a combination of posixGroup and groupOfNames you could have member attributes (i.e. full Distinguished Names) as you member names. It looks like you may need to uncomment the line '#nss_map_attribute uniqueMember member' in your ldap.conf to then use the correct attribute name. I haven't actually tried any of this but I might give it a try on a test machine sometime in the next few weeks. I must say that I'm not a fan of fiddling with a standard schema but the idea of using a single type of group (combined posixGroup/groupOfNames) for everything is extremely tempting. Enjoy, Brian -----Original Message----- From: owner-freebsd-sta...@freebsd.org [mailto:owner-freebsd-sta...@freebsd.org] On Behalf Of Scott, Brian Sent: Thursday, 25 February 2010 11:18 AM To: Gerrit Kühn; freebsd-stable@freebsd.org Subject: RE: nss_ldap and multiple group memberships It depends on the type of group. There are at least two types of group objects that you can use in LDAP but only one of them works. You need to use posixGroup objects for unix groups. As I remember it, these have memberUid attributes for the member ids. These are simple unix identifiers. groupOfNames objects on the other hand have full distinguished names with 'member' attributes and can't be used by nss_ldap. The idea is that posixGroup and posixAccount mimic the unix files so extraction of the data is fast. If the software used a groupOfNames object then the returned member names would need to queried as additional transactions to find the uid's of those entries that had posixAccount information. This is because the original authentication was done by pam_ldap and that just returned a UID to the system. If it returned the LDAP distinguished name to the system, and if that could then be passed into nss_ldap it would be possible to do the LDAP query in a single transaction. But then that all breaks down if you authenticate with something else like GSSAPI. If that was the case you would need to first search for the posixAccount object of the authenticated user (&(objectClass=posixAccount)(uid=1001)) and then search for all the group of names containing that distinguished name (&(objectClass=groupOfNames)(member=uid=bscott,ou=People,dc=netlab,dc=albury,dc=tafe)). That's two transactions and seems unnecessarily wasteful. Mind you, if it was an option I'd probably turn it on. Brian -----Original Message----- From: owner-freebsd-sta...@freebsd.org [mailto:owner-freebsd-sta...@freebsd.org] On Behalf Of Gerrit Kühn Sent: Wednesday, 24 February 2010 9:23 PM To: freebsd-stable@freebsd.org Subject: nss_ldap and multiple group memberships Hi all, Is anyone here using nss_ldap and can successfully get it to work with multiple group memberships? I would really like to get this to work here, but I only get the primary group: penumbra# id gekueh uid=1030(gekueh) gid=1012(aei) groups=1012(aei) getent group comes up with the complete group list. ldapsearch reports three groups with member:-lines for my user. Somehow nss does not pick this up. Any ideas? cu Gerrit _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org" ********************************************************************** This message is intended for the addressee named and may contain privileged information or confidential information or both. If you are not the intended recipient please delete it and notify the sender. ********************************************************************** _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org" ********************************************************************** This message is intended for the addressee named and may contain privileged information or confidential information or both. If you are not the intended recipient please delete it and notify the sender. ********************************************************************** _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
