No problem. As a follow up the bug fix for CR 6508109 did make it into
the gate last night, before build 56 gate close, so the change will
be flowing out through the system to the OpenSolaris trees shortly.
It should be in the 20070108 nightly build at this point in time.
The following bug fixes made it into this same b56 build last night:
6496648 New nsswitch doesn't handle netmasks entries with comments appended
6508109 getgrent[_r] can't get entry from ldap backend
6508123 getauuserent[_r] and getuserattr can't get entry with compat backend.
6510271 nss_nis returns NSS_SUCCESS when no netgroup can be found
6467539 nscd's keeps persistent connections to even wedged LDAP servers.
6494750 nscd reuses ports after long idle time causes lookup failures
6502782 libsldap dumps core when enumerating databases
6502783 libsldap: processes sharing an ldap connection may get incorrect search
results
Once you upgrade to this build or later, you shouldn't need to modify the
group entries in your DIT.
Doug.
Thomas Garner wrote:
> Excellent. I added memberuid: tgarner to my group in ldap and solaris
> sees the group now. Thanks for a quick and thorough response!
>
> Thomas
>
> On 1/8/07, Doug Leavitt <Doug.Leavitt at sun.com> wrote:
>> Hi Thomas,
>> I asked around and we're pretty sure the bug you are hitting is
>> one that we are working on right now, and hope to deliver shortly.
>> The bug is:
>> CR 6508109 getgrent[_r] can't get entry from ldap backend
>>
>>
>> If I recall correctly you can confirm this by adding a memberuid
>> attr/value
>> to your group entry such as:
>>
>> memberuid: tgartner
>>
>> getent should respond properly. We hope to have this fixed shortly.
>> We are attempting to get testing complete so it can be fixed in the
>> b56 build.
>>
>> Doug.
>>
>>
>> Thomas Garner wrote:
>> > I hope this is an appropriate list. If not please redirect me.
>> >
>> > I am working to try and get a Nexenta (elatte-testing) machine to act
>> > as a client to a Debian OpenLDAP server. I have gotten most
>> > everything to work, except ldap group resolution. I do have a Debian
>> > LDAP client that is working fine with the ldap server. But, on the
>> > Nexenta machine, I can see all users (local and ldap), and local
>> > groups, but no ldap groups. ldaplist will list the sole ldap group I
>> > have, but getent does not seem to recognize that the group exists. It
>> > seems to me to be a configuration issue, but I've beaten my head
>> > against the wall and made no progress. Below is some context.
>> >
>> > Thanks!
>> > Thomas
>> >
>> > [root at filer1 ~]# uname -a
>> > SunOS filer1 5.11 NexentaOS_20061122 i86pc i386 i86pc Solaris
>> > [root at filer1 ~]# getent passwd tgarner
>> > tgarner:x:1001:1001:Thomas Garner,,,:/home/tgarner:/bin/bash
>> > [root at filer1 ~]# ldaplist -l group
>> > dn: cn=tgarner,ou=Group,dc=chobas,dc=com
>> > objectClass: posixGroup
>> > objectClass: top
>> > cn: tgarner
>> > userPassword: {crypt}x
>> > gidNumber: 1001
>> > [root at filer1 ~]# getent group
>> > root:*:0:
>> > other:*:1:root
>> > bin:*:2:root,daemon
>> > sys:*:3:root,bin,adm
>> > adm:*:4:root,daemon
>> > uucp:*:5:root
>> > mail:*:6:root
>> > tty:*:7:root,adm
>> > lp:*:8:root,adm
>> > nuucp:*:9:root
>> > staff:*:10:
>> > daemon:*:12:root
>> > proxy:*:13:
>> > sysadmin:*:14:
>> > kmem:*:15:
>> > disk:*:16:
>> > news:*:17:
>> > man:*:18:
>> > dialout:*:20:
>> > fax:*:21:
>> > voice:*:22:
>> > floppy:*:23:
>> > cdrom:*:24:
>> > smmsp:*:25:
>> > tape:*:26:
>> > sudo:*:27:
>> > audio:*:29:
>> > dip:*:30:
>> > www-data:*:33:
>> > backup:*:34:
>> > operator:*:37:
>> > list:*:38:
>> > irc:*:39:
>> > src:*:40:
>> > gnats:*:41:
>> > shadow:*:42:
>> > utmp:*:43:
>> > video:*:44:
>> > sasl:*:45:
>> > plugdev:*:46:
>> > gdm:*:50:
>> > games:*:60:
>> > webservd:*:80:
>> > users:*:100:
>> > nobody:*:60001:
>> > noaccess:*:60002:
>> > nogroup:*:65534:
>> > [root at filer1 ~]# cat /etc/nsswitch.conf
>> > passwd: files ldap
>> > group: files ldap
>> >
>> > # You must also set up the /etc/resolv.conf file for DNS name
>> > # server lookup. See resolv.conf(4).
>> > hosts: files dns
>> >
>> > # Note that IPv4 addresses are searched for in all of the ipnodes
>> databases
>> > # before searching the hosts databases.
>> > ipnodes: files dns
>> >
>> > networks: files
>> > protocols: files
>> > rpc: files
>> > ethers: files
>> > netmasks: files
>> > bootparams: files
>> > publickey: files
>> > # At present there isn't a 'files' backend for netgroup; the system
>> will
>> > # figure it out pretty quickly, and won't use netgroups at all.
>> > netgroup: files
>> > automount: files
>> > aliases: files
>> > services: files
>> > printers: user files
>> >
>> > auth_attr: files
>> > prof_attr: files
>> > project: files
>> >
>> > tnrhtp: files
>> > tnrhdb: files
>> > [root at filer1 ~]# cat /var/ldap/ldap_client_file
>> > #
>> > # Do not edit this file manually; your changes will be lost.Please use
>> > ldapclient (1M) instead.
>> > #
>> > NS_LDAP_FILE_VERSION= 2.0
>> > NS_LDAP_SERVERS= 192.168.1.136
>> > NS_LDAP_SEARCH_BASEDN= dc=chobas,dc=com
>> > NS_LDAP_AUTH= simple
>> > NS_LDAP_SEARCH_REF= TRUE
>> > NS_LDAP_SEARCH_SCOPE= one
>> > NS_LDAP_SEARCH_TIME= 30
>> > NS_LDAP_CACHETTL= 43200
>> > NS_LDAP_PROFILE= default
>> > NS_LDAP_CREDENTIAL_LEVEL= proxy
>> > NS_LDAP_SERVICE_SEARCH_DESC= group: ou=Group,dc=chobas,dc=com
>> > NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=People,dc=chobas,dc=com
>> > NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=People,dc=chobas,dc=com
>> > NS_LDAP_BIND_TIME= 2
>> > [root at filer1 ~]# dpkg -S getent
>> > sunwcsu: /usr/bin/getent
>> > [root at filer1 ~]# dpkg -l sunwcsu
>> > Desired=Unknown/Install/Remove/Purge/Hold
>> > |
>> Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
>> > |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err:
>> > uppercase=bad)
>> > ||/ Name Version Description
>> >
>> +++-===========================-===========================-======================================================================
>>
>>
>> >
>> > ii sunwcsu 5.11.50-1 Core
>> > Solaris, (Usr)
>> > _______________________________________________
>> > sparks-discuss mailing list
>> > sparks-discuss at opensolaris.org
>> > http://opensolaris.org/mailman/listinfo/sparks-discuss
>>
