On Thu, 25 Feb 2010 11:17:32 +1100 "Scott, Brian" <[email protected]> wrote about RE: nss_ldap and multiple group memberships:
SB> It depends on the type of group. There are at least two types of group SB> objects that you can use in LDAP but only one of them works. You need SB> to use posixGroup objects for unix groups. As I remember it, these SB> have memberUid attributes for the member ids. These are simple unix SB> identifiers. groupOfNames objects on the other hand have full SB> distinguished names with 'member' attributes and can't be used by SB> nss_ldap. The server is running openldap under SLES and is not under my control. ldapsearch gives group entries like # lisa, group, aei.uni-hannover.de dn: cn=lisa,ou=group,dc=aei,dc=uni-hannover,dc=de cn: lisa displayName: lisa gidNumber: 1003 member: uid=gekueh,ou=people,dc=aei,dc=uni-hannover,dc=de So this would be the first case, I guess. SB> The idea is that posixGroup and posixAccount mimic the unix files so SB> extraction of the data is fast. If the software used a groupOfNames SB> object then the returned member names would need to queried as SB> additional transactions to find the uid's of those entries that had SB> posixAccount information. This is because the original authentication SB> was done by pam_ldap and that just returned a UID to the system. If it SB> returned the LDAP distinguished name to the system, and if that could SB> then be passed into nss_ldap it would be possible to do the LDAP query SB> in a single transaction. But then that all breaks down if you SB> authenticate with something else like GSSAPI. If that was the case you SB> would need to first search for the posixAccount object of the SB> authenticated user (&(objectClass=posixAccount)(uid=1001)) and then SB> search for all the group of names containing that distinguished name (& SB> (objectClass=groupOfNames) SB> (member=uid=bscott,ou=People,dc=netlab,dc=albury,dc=tafe)). That's two SB> transactions and seems unnecessarily wasteful. Mind you, if it was an SB> option I'd probably turn it on. Thanks for this fine explanation. I do not use GSS. However, I found the following configuration option in (nss) ldap.conf that helped me: nss_map_attribute uniqueMember member After commenting this in, everything seems to work fine: penumbra# id gekueh uid=1030(gekueh) gid=1012(aei) groups=1012(aei),1003(lisa) Maybe this could be mentioned somewhere in the documentation? I used <http://www.freebsd.org/doc/en/articles/ldap-auth/client.html> to set up the client, but the information I got from this article were rather sparse and led me the wrong path more than once. cu Gerrit _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[email protected]"
