Wow this is a really well written explanation. On 2010-02-25 11:17:32AM +1100, Scott, Brian wrote: > It depends on the type of group. There are at least two types of group > objects that you can use in LDAP but only one of them works. You need to use > posixGroup objects for unix groups. As I remember it, these have memberUid > attributes for the member ids. These are simple unix identifiers. > groupOfNames objects on the other hand have full distinguished names with > 'member' attributes and can't be used by nss_ldap. > > The idea is that posixGroup and posixAccount mimic the unix files so > extraction of the data is fast. If the software used a groupOfNames object > then the returned member names would need to queried as additional > transactions to find the uid's of those entries that had posixAccount > information. This is because the original authentication was done by pam_ldap > and that just returned a UID to the system. If it returned the LDAP > distinguished name to the system, and if that could then be passed into > nss_ldap it would be possible to do the LDAP query in a single transaction. > But then that all breaks down if you authenticate with something else like > GSSAPI. If that was the case you would need to first search for the > posixAccount object of the authenticated user > (&(objectClass=posixAccount)(uid=1001)) and then search for all the group of > names containing that distinguished name > (&(objectClass=groupOfNames)(member=uid=bscott,ou=People,dc=netlab,dc=albury,dc=tafe)). > That's two transactions and seems unnecessarily wasteful. Mind you, if it > was an option I'd probably turn it on. > > Brian > > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Gerrit Kühn > Sent: Wednesday, 24 February 2010 9:23 PM > To: [email protected] > Subject: nss_ldap and multiple group memberships > > Hi all, > > Is anyone here using nss_ldap and can successfully get it to work with > multiple group memberships? I would really like to get this to work here, but > I only get the primary group: > > penumbra# id gekueh > uid=1030(gekueh) gid=1012(aei) groups=1012(aei) > > getent group comes up with the complete group list. ldapsearch reports three > groups with member:-lines for my user. Somehow nss does not pick this up. Any > ideas? > > > cu > Gerrit > _______________________________________________ > [email protected] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "[email protected]" > ********************************************************************** > This message is intended for the addressee named and may contain > privileged information or confidential information or both. If you > are not the intended recipient please delete it and notify the sender. > ********************************************************************** > _______________________________________________ > [email protected] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "[email protected]"
-- =========================================================== Peter C. Lai | Bard College at Simon's Rock Systems Administrator | 84 Alford Rd. Information Technology Svcs. | Gt. Barrington, MA 01230 USA peter AT simons-rock.edu | (413) 528-7428 =========================================================== _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[email protected]"
