FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 03-11-2009, 07:03 PM
Martin
 
Default pam_ldap, nss_ldap and rfc2307bis (using member instead of memberUid)

Hi,

2009/3/4 Dave Ewart <davee@ceu.ox.ac.uk>:
> You don't explicitly mention this, so I'll just drop this in here:
> typically, you need to set both pam_groupdn and pam_member_attribute in
> /etc/pam_ldap.conf

i have set that:

# egrep -v '^$|^#' /etc/pam_ldap.conf
base dc=marcher,dc=name
uri ldap://localhost
ldap_version 3
pam_groupdn cn=testers,ou=Group,dc=marcher,dc=name
pam_member_attribute member
pam_password exop
nss_schema rfc2307bis
nss_map_attribute member memberUid

also these are the infos I'm getting from pam_ldap right now. I start
to think I'm in the wrong place with my config (pam_ldap is the right
place not nss-ldap.conf right?).


anyone with ideas?

# getent group|grep 500
users:*:5000:john.doe
testers:*:5001:

# getent passwd|grep john
john.doe:x:1000:5000:,,,:/home/exuser:/bin/bash

# ldapsearch -LLL -x '(gidnumber=*)'
dn: uid=john.doe,ou=People,dc=marcher,dc=name
uid: john.doe
cn: Example User
objectClass: account
objectClass: posixAccount
objectClass: hostObject
objectClass: authorizedServiceObject
objectClass: top
objectClass: shadowAccount
loginShell: /bin/bash
uidNumber: 1000
homeDirectory: /home/exuser
gecos: ,,,
host: *
authorizedService: *
gidNumber: 5000

dn: cn=users,ou=Group,dc=marcher,dc=name
gidNumber: 5000
objectClass: groupOfNames
objectClass: top
objectClass: posixGroup
member: cn=Dummy
member: uid=john.doe,ou=People,dc=marcher,dc=name
cn: users
memberUid: john.doe

dn: cn=testers,ou=Group,dc=marcher,dc=name
objectClass: groupOfNames
objectClass: top
objectClass: posixGroup
cn: testers
member: cn=Dummy
member: uid=john.doe,ou=People,dc=marcher,dc=name
gidNumber: 5001


--
http://soup.alt.delete.co.at
http://www.xing.com/profile/Martin_Marcher
http://www.linkedin.com/in/martinmarcher

You are not free to read this message,
by doing so, you have violated my licence
and are required to urinate publicly. Thank you.

Please avoid sending me Word or PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 03-11-2009, 08:01 PM
Martin
 
Default pam_ldap, nss_ldap and rfc2307bis (using member instead of memberUid)

OK I Managed to get at least group memberships (somehow working):

# getent group testers users; id john.doe
testers:*:5001:cn=Dummy,uid=john.doe,ou=People,dc= marcher,dc=name
users:*:5000:cn=Dummy,uid=john.doe,ou=People,dc=ma rcher,dc=name
uid=1000(john.doe) gid=5000(users) groups=5000(users)

now, why doesn't it work so that I just have john.doe as a member but
instead the full DN of the ldap object?

still looking for ideas

thanks,
martin

2009/3/11 Martin <martin@marcher.name>:
> Hi,
>
> 2009/3/4 Dave Ewart <davee@ceu.ox.ac.uk>:
>> You don't explicitly mention this, so I'll just drop this in here:
>> typically, you need to set both pam_groupdn and pam_member_attribute in
>> /etc/pam_ldap.conf
>
> i have set that:
>
> # egrep -v '^$|^#' /etc/pam_ldap.conf
> base dc=marcher,dc=name
> uri ldap://localhost
> ldap_version 3
> pam_groupdn cn=testers,ou=Group,dc=marcher,dc=name
> pam_member_attribute member
> pam_password exop
> nss_schema rfc2307bis
> nss_map_attribute * * * member *memberUid
>
> also these are the infos I'm getting from pam_ldap right now. I start
> to think I'm in the wrong place with my config (pam_ldap is the right
> place not nss-ldap.conf right?).
>
>
> anyone with ideas?
>
> # getent group|grep 500
> users:*:5000:john.doe
> testers:*:5001:
>
> # getent passwd|grep john
> john.doe:x:1000:5000:,,,:/home/exuser:/bin/bash
>
> # ldapsearch -LLL -x '(gidnumber=*)'
> dn: uid=john.doe,ou=People,dc=marcher,dc=name
> uid: john.doe
> cn: Example User
> objectClass: account
> objectClass: posixAccount
> objectClass: hostObject
> objectClass: authorizedServiceObject
> objectClass: top
> objectClass: shadowAccount
> loginShell: /bin/bash
> uidNumber: 1000
> homeDirectory: /home/exuser
> gecos: ,,,
> host: *
> authorizedService: *
> gidNumber: 5000
>
> dn: cn=users,ou=Group,dc=marcher,dc=name
> gidNumber: 5000
> objectClass: groupOfNames
> objectClass: top
> objectClass: posixGroup
> member: cn=Dummy
> member: uid=john.doe,ou=People,dc=marcher,dc=name
> cn: users
> memberUid: john.doe
>
> dn: cn=testers,ou=Group,dc=marcher,dc=name
> objectClass: groupOfNames
> objectClass: top
> objectClass: posixGroup
> cn: testers
> member: cn=Dummy
> member: uid=john.doe,ou=People,dc=marcher,dc=name
> gidNumber: 5001
>
>
> --
> http://soup.alt.delete.co.at
> http://www.xing.com/profile/Martin_Marcher
> http://www.linkedin.com/in/martinmarcher
>
> You are not free to read this message,
> by doing so, you have violated my licence
> and are required to urinate publicly. Thank you.
>
> Please avoid sending me Word or PowerPoint attachments.
> See http://www.gnu.org/philosophy/no-word-attachments.html
>



--
http://soup.alt.delete.co.at
http://www.xing.com/profile/Martin_Marcher
http://www.linkedin.com/in/martinmarcher

You are not free to read this message,
by doing so, you have violated my licence
and are required to urinate publicly. Thank you.

Please avoid sending me Word or PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 03-12-2009, 02:55 PM
Martin
 
Default pam_ldap, nss_ldap and rfc2307bis (using member instead of memberUid)

Hi,

2009/3/12 Dave Ewart <davee@ceu.ox.ac.uk>:
> On Wednesday, 11.03.2009 at 22:01 +0100, Martin wrote:
>
>> OK I Managed to get at least group memberships (somehow working):
>>
>> # getent group testers users; id john.doe
>> testers:*:5001:cn=Dummy,uid=john.doe,ou=People,dc= marcher,dc=name
>> users:*:5000:cn=Dummy,uid=john.doe,ou=People,dc=ma rcher,dc=name
>> uid=1000(john.doe) gid=5000(users) groups=5000(users)
>>
>> now, why doesn't it work so that I just have john.doe as a member but
>> instead the full DN of the ldap object?
>
> Your 'cn=testers' entry includes the full DN, so that's what gets
> returned.

Well that is somewhat "on purpose" the goal of the project is to only
have to maintain groups like this:

dn: cn=testers,ou=Group,dc=marcher,dc=name
objectClass: groupOfNames
objectClass: posixGroup
objectClass: top
cn: testers
gidNumber: 5001
member: uid=john.doe,ou=People,dc=marcher,dc=name

(mind the "member" attribute) with rfc2307bis posixGroup is auxilliary
and libnss-ldap should be able to handle that. I just can't figure out
how

/martin


--
http://soup.alt.delete.co.at
http://www.xing.com/profile/Martin_Marcher
http://www.linkedin.com/in/martinmarcher

You are not free to read this message,
by doing so, you have violated my licence
and are required to urinate publicly. Thank you.

Please avoid sending me Word or PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 01:14 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org