nss_ldap and multiple group memberships

Gerrit Kühn gerrit at pmp.uni-hannover.de
Thu Feb 25 08:31:23 UTC 2010 

On Thu, 25 Feb 2010 11:17:32 +1100 "Scott, Brian"
<brian.scott4 at det.nsw.edu.au> wrote about RE: nss_ldap and multiple group
memberships:

SB> It depends on the type of group. There are at least two types of group
SB> objects that you can use in LDAP but only one of them works. You need
SB> to use posixGroup objects for unix groups. As I remember it, these
SB> have memberUid attributes for the member ids. These are simple unix
SB> identifiers. groupOfNames objects on the other hand have full
SB> distinguished names with 'member' attributes and can't be used by
SB> nss_ldap.

The server is running openldap under SLES and is not under my control.
ldapsearch gives group entries like

# lisa, group, aei.uni-hannover.de
dn: cn=lisa,ou=group,dc=aei,dc=uni-hannover,dc=de
cn: lisa
displayName: lisa
gidNumber: 1003
member: uid=gekueh,ou=people,dc=aei,dc=uni-hannover,dc=de


So this would be the first case, I guess.

SB> The idea is that posixGroup and posixAccount mimic the unix files so
SB> extraction of the data is fast. If the software used a groupOfNames
SB> object then the returned member names would need to queried as
SB> additional transactions to find the uid's of those entries that had
SB> posixAccount information. This is because the original authentication
SB> was done by pam_ldap and that just returned a UID to the system. If it
SB> returned the LDAP distinguished name to the system, and if that could
SB> then be passed into nss_ldap it would be possible to do the LDAP query
SB> in a single transaction. But then that all breaks down if you
SB> authenticate with something else like GSSAPI. If that was the case you
SB> would need to first search for the posixAccount object of the
SB> authenticated user (&(objectClass=posixAccount)(uid=1001)) and then
SB> search for all the group of names containing that distinguished name (&
SB> (objectClass=groupOfNames)
SB> (member=uid=bscott,ou=People,dc=netlab,dc=albury,dc=tafe)). That's two
SB> transactions and seems unnecessarily wasteful. Mind you, if it was an
SB> option I'd probably turn it on.

Thanks for this fine explanation. I do not use GSS. However, I found the
following configuration option in (nss) ldap.conf that helped me:

nss_map_attribute uniqueMember member

After commenting this in, everything seems to work fine:

penumbra# id gekueh
uid=1030(gekueh) gid=1012(aei) groups=1012(aei),1003(lisa)

Maybe this could be mentioned somewhere in the documentation? I used
<http://www.freebsd.org/doc/en/articles/ldap-auth/client.html> to set up
the client, but the information I got from this article were rather
sparse and led me the wrong path more than once.


cu
  Gerrit

More information about the freebsd-stable mailing list