From owner-freebsd-net@freebsd.org  Wed Feb  7 06:20:38 2018
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id CA9F5EE0985
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Wed,  7 Feb 2018 06:20:38 +0000 (UTC)
 (envelope-from ss713048@gmail.com)
Received: from n6.nabble.com (n6.nabble.com [162.255.23.37])
 by mx1.freebsd.org (Postfix) with ESMTP id 530DA78350
 for <freebsd-net@freebsd.org>; Wed,  7 Feb 2018 06:20:38 +0000 (UTC)
 (envelope-from ss713048@gmail.com)
Received: from n6.nabble.com (localhost [127.0.0.1])
 by n6.nabble.com (Postfix) with ESMTP id D53D745F078F
 for <freebsd-net@freebsd.org>; Tue,  6 Feb 2018 23:20:37 -0700 (MST)
Date: Tue, 6 Feb 2018 23:20:37 -0700 (MST)
From: zjlinickey <ss713048@gmail.com>
To: freebsd-net@freebsd.org
Message-ID: <1517984437871-0.post@n6.nabble.com>
Subject: Netgroup using LDAP in FreeBSD 11.1
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Feb 2018 06:20:39 -0000

Hi

We try to use netgroup and backend is LDAP.
We use nss-pam-ldapd, it contains nss_ldap, pam_ldap and nslcd.
passwd and group have been impelemented in nslcd, and work ok.
But nslcd looks like not impelement function __nss_compat_getnetgrent_r in
FreeBSD.
There in only __nss_compat_getgrent_r in libc.

I found the patch, 
https://people.freebsd.org/~markj/patches/nss_ldap_netgroup.patch, but looks
like it didn't patch to libc. 
We reference the patch and try to impelement the function
__nss_compat_getnetgrent_r,
getent netgroup <netgroup_name> looks like ok.
But when netgroup's entry contain another group, it will be wrong.
e.g.
all-users teamA teamB
teamA (,Bob,) (,Alice,)
teamB (,Eric,) (,Andy,)

Help will be greatly appreciated, as this could impact other ways our system
still need netgroup...

My nsswitch.conf is:
group: files ldap
hosts: files dns
networks: files ldap
netgroup: ldap
passwd: files ldap
shells: files
services: compat
services_compat: files
protocols: files
rpc: files

LDAP schema is:
dn: cn=testNetgroup,ou=Netgroup,dc=mydomain,dc=com
objectClass: nisNetgroup
objectClass: top
cn: testNetgroup
nisNetgroupTriple: (,aaa,)
nisNetgroupTriple: (,bbb,)
nisNetgroupTriple: (,ccc,)

Thank you! 

Z. J. Lin




--
Sent from: http://freebsd.1045724.x6.nabble.com/freebsd-net-f4005075.html