Bug#427497: libnss-ldap doesn't find all groups

Sat, 23 Jun 2007 17:39:56 -0700 

On Mon, 4 Jun 2007, Henry Jensen wrote:


Package: libnss-ldap
Version: 251-7.5
Severity: important

libnss-ldap doesn't seem to get all groups from ldap.
E. g. when I do as user:

$ id -G
513 1027 1029 1073 1112 14091 19901 22150 43236 55873 60223


But when I do as root:

# id -G user
513 22150 43236 19901 1027 1029 1073 1112

As you can see some groups are missing in the second request.

This happens after the upgrade from Sarge to Etch. It has wider effects in the 
sense that e. g. Group-ACLs
in Samba are no longer working in some cases. It also seems that only newer 
groups which were added after
the upgrade to Etch are affected.


So we're talking new slapd package, the whole enchilada...
Your slapd database was exported, and rebuilt (all by magic).

It kinda seems like a schema change is biting you; the old groups are
working fine, but newly added ones are not in the nss_base_group setting
of libnss_ldap.conf


Here are some relevant parts of config files:

/etc/nsswitch.conf:
passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap


* If you don't use NIS, I'd change that to 'files ldap'


/etc/libnss_ldap.conf:
host 192.168.1.12 192.168.1.17
base dc=test,dc=de
ldap_version 3
rootbinddn cn=admin,dc=test,dc=de


* save yourself some trouble and migrate to uri instead of host
* Are you using the default:  #pam_member_attribute uniquemember ?
* And what of this line:      nss_base_group      ou=  ?


/etc/ldap/slapd.conf from the ldap server:

include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/samba.schema
schemacheck     on
pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args
loglevel        0
modulepath      /usr/lib/ldap
moduleload      back_bdb
backend         bdb
checkpoint 512 30
database        bdb
suffix          "dc=test,dc=de"
directory       "/var/lib/ldap"
index           objectClass eq
lastmod         on

access to attrs=userPassword
       by dn="cn=admin,dc=test,dc=de" write
       by anonymous auth
       by self write
       by * none

access to dn.base="" by * read

access to *
       by dn="cn=admin,dc=test,dc=de" write
       by * read

~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~



--
Rick Nelson
<cj> no!  problems in M$ software?
<cj> "Thoroughly bugtested"
* Dabb grins.
<LordHavoc> rewrite that as 'Thoroughly buginfested'


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to