On Wednesday, 04.03.2009 at 09:11 +0100, Martin wrote:

> I'd like to use the rfc2307bis schema on our openldap server (I know
> it's deleted by IETF). However I can't quite figure out how I could
> convince either pam_ldap and/or nss_ldap to accept the group
> memberships. All the groups a are found, the users are found but I
> couldn't figure out what I need to tell /etc/pam_ldap.conf to accept
> the memberships as set in the ldif entries below.

You don't explicitly mention this, so I'll just drop this in here:
typically, you need to set both pam_groupdn and pam_member_attribute in
/etc/pam_ldap.conf

Dave.

--
Dave Ewart
davee@ceu.ox.ac.uk
Computing Manager, Cancer Epidemiology Unit
University of Oxford / Cancer Research UK
PGP: CC70 1883 BD92 E665 B840 118B 6E94 2CFD 694D E370
Get key from http://www.ceu.ox.ac.uk/~davee/davee-ceu-ox-ac-uk.asc
N 51.7516, W 1.2152

On Wednesday, 11.03.2009 at 22:01 +0100, Martin wrote:

> OK I Managed to get at least group memberships (somehow working):
>
> # getent group testers users; id john.doe
> testers:*:5001:cn=Dummy,uid=john.doe,ou=People,dc= marcher,dc=name
> users:*:5000:cn=Dummy,uid=john.doe,ou=People,dc=ma rcher,dc=name
> uid=1000(john.doe) gid=5000(users) groups=5000(users)
>
> now, why doesn't it work so that I just have john.doe as a member but
> instead the full DN of the ldap object?

Your 'cn=testers' entry includes the full DN, so that's what gets
returned.

Depending on what you're trying to do, you could probably do some
ldapsearch/sed pipeline to just return what you need.

Dave.

--
Dave Ewart
davee@ceu.ox.ac.uk
Computing Manager, Cancer Epidemiology Unit
University of Oxford / Cancer Research UK
PGP: CC70 1883 BD92 E665 B840 118B 6E94 2CFD 694D E370
Get key from http://www.ceu.ox.ac.uk/~davee/davee-ceu-ox-ac-uk.asc
N 51.7516, W 1.2152