From owner-freebsd-stable@FreeBSD.ORG Thu Feb 25 00:21:12 2010 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 08B46106566C for ; Thu, 25 Feb 2010 00:21:12 +0000 (UTC) (envelope-from peter@simons-rock.edu) Received: from hedwig.simons-rock.edu (hedwig.simons-rock.edu [208.81.88.14]) by mx1.freebsd.org (Postfix) with ESMTP id C18928FC13 for ; Thu, 25 Feb 2010 00:21:11 +0000 (UTC) Received: from cesium.hyperfine.info (c2.8d.5646.static.theplanet.com [70.86.141.194]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by hedwig.simons-rock.edu (Postfix) with ESMTP id E9AEF2BB33E; Wed, 24 Feb 2010 19:21:09 -0500 (EST) Date: Wed, 24 Feb 2010 19:21:08 -0500 From: "Peter C. Lai" To: "Scott, Brian" Message-ID: <20100225002107.GU4648@cesium.hyperfine.info> References: <20100224112311.73ac53f6.gerrit@pmp.uni-hannover.de> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable In-Reply-To: User-Agent: Mutt/1.5.17 (2007-11-01) Cc: Gerrit =?iso-8859-1?Q?K=FChn?= , freebsd-stable@freebsd.org Subject: Re: nss_ldap and multiple group memberships X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Feb 2010 00:21:12 -0000 Wow this is a really well written explanation. On 2010-02-25 11:17:32AM +1100, Scott, Brian wrote: > It depends on the type of group. There are at least two types of group ob= jects that you can use in LDAP but only one of them works. You need to use = posixGroup objects for unix groups. As I remember it, these have memberUid = attributes for the member ids. These are simple unix identifiers. groupOfNa= mes objects on the other hand have full distinguished names with 'member' a= ttributes and can't be used by nss_ldap. >=20 > The idea is that posixGroup and posixAccount mimic the unix files so extr= action of the data is fast. If the software used a groupOfNames object then= the returned member names would need to queried as additional transactions= to find the uid's of those entries that had posixAccount information. This= is because the original authentication was done by pam_ldap and that just = returned a UID to the system. If it returned the LDAP distinguished name to= the system, and if that could then be passed into nss_ldap it would be pos= sible to do the LDAP query in a single transaction. But then that all break= s down if you authenticate with something else like GSSAPI. If that was the= case you would need to first search for the posixAccount object of the aut= henticated user (&(objectClass=3DposixAccount)(uid=3D1001)) and then search= for all the group of names containing that distinguished name (&(objectCla= ss=3DgroupOfNames)(member=3Duid=3Dbscott,ou=3DPeople,dc=3Dnetlab,dc=3Dalbur= y,dc=3Dtafe)). That's two transactions and seems unnecessarily wasteful. Mi= nd you, if it was an option I'd probably turn it on. >=20 > Brian >=20 >=20 > -----Original Message----- > From: owner-freebsd-stable@freebsd.org [mailto:owner-freebsd-stable@freeb= sd.org] On Behalf Of Gerrit K=FChn > Sent: Wednesday, 24 February 2010 9:23 PM > To: freebsd-stable@freebsd.org > Subject: nss_ldap and multiple group memberships >=20 > Hi all, >=20 > Is anyone here using nss_ldap and can successfully get it to work with mu= ltiple group memberships? I would really like to get this to work here, but= I only get the primary group: >=20 > penumbra# id gekueh > uid=3D1030(gekueh) gid=3D1012(aei) groups=3D1012(aei) >=20 > getent group comes up with the complete group list. ldapsearch reports th= ree groups with member:-lines for my user. Somehow nss does not pick this u= p. Any ideas? >=20 >=20 > cu > Gerrit > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" > ********************************************************************** > This message is intended for the addressee named and may contain > privileged information or confidential information or both. If you > are not the intended recipient please delete it and notify the sender. > ********************************************************************** > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" --=20 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D Peter C. Lai | Bard College at Simon's Rock Systems Administrator | 84 Alford Rd. Information Technology Svcs. | Gt. Barrington, MA 01230 USA peter AT simons-rock.edu | (413) 528-7428 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D