Date: Thu, 25 Feb 2010 09:31:15 +0100 From: Gerrit =?ISO-8859-1?Q?K=FChn?= <gerrit@pmp.uni-hannover.de> To: "Scott, Brian" <brian.scott4@det.nsw.edu.au> Cc: freebsd-stable@freebsd.org Subject: Re: nss_ldap and multiple group memberships Message-ID: <20100225093115.c5a83239.gerrit@pmp.uni-hannover.de> In-Reply-To: <B9FD027E84F6EE4783263F5393E72655011D4D8D@ALF2.riverina.det.win> References: <20100224112311.73ac53f6.gerrit@pmp.uni-hannover.de> <B9FD027E84F6EE4783263F5393E72655011D4D8D@ALF2.riverina.det.win>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 25 Feb 2010 11:17:32 +1100 "Scott, Brian" <brian.scott4@det.nsw.edu.au> wrote about RE: nss_ldap and multiple group memberships: SB> It depends on the type of group. There are at least two types of group SB> objects that you can use in LDAP but only one of them works. You need SB> to use posixGroup objects for unix groups. As I remember it, these SB> have memberUid attributes for the member ids. These are simple unix SB> identifiers. groupOfNames objects on the other hand have full SB> distinguished names with 'member' attributes and can't be used by SB> nss_ldap. The server is running openldap under SLES and is not under my control. ldapsearch gives group entries like # lisa, group, aei.uni-hannover.de dn: cn=lisa,ou=group,dc=aei,dc=uni-hannover,dc=de cn: lisa displayName: lisa gidNumber: 1003 member: uid=gekueh,ou=people,dc=aei,dc=uni-hannover,dc=de So this would be the first case, I guess. SB> The idea is that posixGroup and posixAccount mimic the unix files so SB> extraction of the data is fast. If the software used a groupOfNames SB> object then the returned member names would need to queried as SB> additional transactions to find the uid's of those entries that had SB> posixAccount information. This is because the original authentication SB> was done by pam_ldap and that just returned a UID to the system. If it SB> returned the LDAP distinguished name to the system, and if that could SB> then be passed into nss_ldap it would be possible to do the LDAP query SB> in a single transaction. But then that all breaks down if you SB> authenticate with something else like GSSAPI. If that was the case you SB> would need to first search for the posixAccount object of the SB> authenticated user (&(objectClass=posixAccount)(uid=1001)) and then SB> search for all the group of names containing that distinguished name (& SB> (objectClass=groupOfNames) SB> (member=uid=bscott,ou=People,dc=netlab,dc=albury,dc=tafe)). That's two SB> transactions and seems unnecessarily wasteful. Mind you, if it was an SB> option I'd probably turn it on. Thanks for this fine explanation. I do not use GSS. However, I found the following configuration option in (nss) ldap.conf that helped me: nss_map_attribute uniqueMember member After commenting this in, everything seems to work fine: penumbra# id gekueh uid=1030(gekueh) gid=1012(aei) groups=1012(aei),1003(lisa) Maybe this could be mentioned somewhere in the documentation? I used <http://www.freebsd.org/doc/en/articles/ldap-auth/client.html>; to set up the client, but the information I got from this article were rather sparse and led me the wrong path more than once. cu Gerrit
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100225093115.c5a83239.gerrit>