Re: dynlist and group membership (libnss-ldap, posixGroup, samba)

Thu, 20 May 2010 19:07:53 -0700 

Felipe Augusto van de Wiel <[email protected]> writes:

> Hi,
>
>       I'm afraid I'm missing something very simple
> here and it is likely that the issue is on libnss-ldap
> and not on OpenLDAP dynlist overlay, I just want to make
> sure everything is fine regarding OpenLDAP configuration.
>
>       I'm using Debian 5.0 (Lenny) and OpenLDAP 2.4.11
> (Debian packaged version). I'm also using rfc2307bis and
> I would like to have a dynamic group with all non-disabled
> Samba users. Not sure if it is recommended to send the
> full slapd.conf, so I'm just sending the parts I added in
> order to have the dynlist/"dynamic group".
>
> /etc/ldap/slapd.conf:
> include /etc/ldap/schema/dyngroup.schema
> ...
> overlay dynlist
> dynlist-attrset posixGroup labeledURI member
>
>
> $ ldapsearch -x cn=active-samba-users
> dn: cn=active-samba-users,ou=Groups,dc=ahpi,dc=org
> objectClass: top
> objectClass: groupOfNames
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> objectClass: labeledURIObject
> cn: active-samba-users
> gidNumber: 999
> sambaSID: S-1-5-21-1234567899-1234567899-123456789-2999
> sambaGroupType: 2
> displayName: active samba users
> labeledURI: 
> ldap:///ou=People,?uid?sub?(&(objectClass=posixAccount)(objectClass=sambaSAMAccount)(!(sambaAcctFlags=*D*)))
>
>
>       When I run the search above I do get the
> expected results, several 'member' fields are
> added to the response:
>
> member: uid=userA,ou=People,dc=ahpi,dc=org
> member: uid=userB,ou=People,dc=ahpi,dc=org

That is what the dynlist overlay and the labeledURI attribute value
provide, according to your configuration.
>
>       The problem, is that I would expect and
> 'id userA' to include group 'active-samba-users'
> but it doesn't. But 'getent group active-samba-users'
> includes all the users:
>
> active-samba-users:*:999:userA,userB
[...]

modify the dynlist overlay configuration and rewrite the labeledURI
attribute value in order to match your requirements.

-Dieter

-- 
Dieter Klünter | Systemberatung
sip: +49.40.20932173
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6

Reply via email to