nss_ldap and multiple group memberships
Peter C. Lai
peter at simons-rock.edu
Thu Feb 25 00:21:12 UTC 2010
Wow this is a really well written explanation.
On 2010-02-25 11:17:32AM +1100, Scott, Brian wrote:
> It depends on the type of group. There are at least two types of group objects that you can use in LDAP but only one of them works. You need to use posixGroup objects for unix groups. As I remember it, these have memberUid attributes for the member ids. These are simple unix identifiers. groupOfNames objects on the other hand have full distinguished names with 'member' attributes and can't be used by nss_ldap.
>
> The idea is that posixGroup and posixAccount mimic the unix files so extraction of the data is fast. If the software used a groupOfNames object then the returned member names would need to queried as additional transactions to find the uid's of those entries that had posixAccount information. This is because the original authentication was done by pam_ldap and that just returned a UID to the system. If it returned the LDAP distinguished name to the system, and if that could then be passed into nss_ldap it would be possible to do the LDAP query in a single transaction. But then that all breaks down if you authenticate with something else like GSSAPI. If that was the case you would need to first search for the posixAccount object of the authenticated user (&(objectClass=posixAccount)(uid=1001)) and then search for all the group of names containing that distinguished name (&(objectClass=groupOfNames)(member=uid=bscott,ou=People,dc=netlab,dc=albury,dc=tafe)). That's two transactions and seems unnecessarily wasteful. Mind you, if it was an option I'd probably turn it on.
>
> Brian
>
>
> -----Original Message-----
> From: owner-freebsd-stable at freebsd.org [mailto:owner-freebsd-stable at freebsd.org] On Behalf Of Gerrit Kühn
> Sent: Wednesday, 24 February 2010 9:23 PM
> To: freebsd-stable at freebsd.org
> Subject: nss_ldap and multiple group memberships
>
> Hi all,
>
> Is anyone here using nss_ldap and can successfully get it to work with multiple group memberships? I would really like to get this to work here, but I only get the primary group:
>
> penumbra# id gekueh
> uid=1030(gekueh) gid=1012(aei) groups=1012(aei)
>
> getent group comes up with the complete group list. ldapsearch reports three groups with member:-lines for my user. Somehow nss does not pick this up. Any ideas?
>
>
> cu
> Gerrit
> _______________________________________________
> freebsd-stable at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
> **********************************************************************
> This message is intended for the addressee named and may contain
> privileged information or confidential information or both. If you
> are not the intended recipient please delete it and notify the sender.
> **********************************************************************
> _______________________________________________
> freebsd-stable at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
--
===========================================================
Peter C. Lai | Bard College at Simon's Rock
Systems Administrator | 84 Alford Rd.
Information Technology Svcs. | Gt. Barrington, MA 01230 USA
peter AT simons-rock.edu | (413) 528-7428
===========================================================
More information about the freebsd-stable
mailing list