OpenLDAP 2.2.25 and FreeBSD 5.3 - group names and gid's

Mon Apr 25 11:15:19 PDT 2005

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 25 Apr 2005, Don Brearley wrote:

>
> Hello,
>
> I am having some problems with OpenLDAP 2.2.25 and FreeBSD 5.3.
>
> I can currently authenticate against my ldap db, and utilities like id and chown
> work with no problem.
>
> The problem is gid to group name mapping.  In my ldif files, I can have a
> "uid" entry and a "uidNumber" entry.  It would look something like this:
>
> uid:  testuser
> uidNumber: 2001
>
> and that works.   I cannot have a group entry of the same.
>
> gid: testgroup
> gidNumber: 2001
>
> OpenLDAP would complain that it couldn't read this file properly.. not until
> the "gid:testgroup" entry was removed.
>
> When I attempt to use an app like "chown" I have to specify the actual
> gid number, eg:
>
> chown -R testuser:2001 /home/testuser
>
> I was wondering if anyone had found a way to have it so that you could
> just enter it by name, and not by number.  eg:
>
> chown -R testuser:testgroup /home/testuser
>
> Obviously I would have to add a gid entry in my schema file, but I am left
> wondering why this isn't already in there..  I dont want to spend a few hours
> trying to re-invent the wheel when there is already a reason for it to
> not be in there.
>
> Any help or light on this situation is deeply appreciated.  If you need more
> information, please let me know and I shall provide it.

Hi,

i have authentication against OpenLDAP running a long time now and did not 
experience such a thing.
I have splittet the user and group informations in two separate tree's.
An example user and the group entry look like this:

- --- the user
uid=testuser,ou=People,dc=domain,dc=tld
objectClass: top
objectClass: posixAccount
uidNumber: 2001
gecos: Test User
loginShell: /bin/tcsh
uid: testuser
cn: Test User
gidNumber: 2001
homeDirectory: /home/testuser
userPassword: some_password

- --- the group
dn: cn=testgroup,ou=Group,dc=domain,dc=tld
objectClass: posixGroup
objectClass: top
cn: testgroup
userPassword: *
gidNumber: 2001
description: Local Unix group

if you configure nss_ldap to the following you will be able to chown(8) 
with names instead of numbers and id(1) should give you names for the 
groups too.

- --- nss_ldap.conf
nss_base_passwd		ou=People,dc=domain,dc=tld?one
nss_base_group		ou=Group,dc=domain,dc=tld?one

if i understand your comments right, you have tried to add an "gid" 
attribute to the user account with objectClass posixAccount, but this will 
not work. only the numeric gidNumber is allowed for this objectClass. it 
behaves like flat unix passwd(5) and group(5) files where the numeric 
gidNumber is stored in passwd(5) and this number is resolved using the 
group(5) file.

please think about it ;-) and try the things above
Joerg

- -- 
The beginning is the most important part of the work.
 				-Plato
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)

iD8DBQFCbTOrSPOsGF+KA+MRAioiAJ4oSK/EupIQphRIneHcbWSHJ6YcHgCgx1wf
EHGs1oXINk95wgKc0IKW75A=
=lneJ
-----END PGP SIGNATURE-----