From owner-freebsd-stable@FreeBSD.ORG  Thu Feb 25 08:31:23 2010
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 679491065789
	for <freebsd-stable@freebsd.org>; Thu, 25 Feb 2010 08:31:23 +0000 (UTC)
	(envelope-from gerrit@pmp.uni-hannover.de)
Received: from mrelay1.uni-hannover.de (mrelay1.uni-hannover.de [130.75.2.106])
	by mx1.freebsd.org (Postfix) with ESMTP id E8D2A8FC08
	for <freebsd-stable@freebsd.org>; Thu, 25 Feb 2010 08:31:22 +0000 (UTC)
Received: from www.pmp.uni-hannover.de (www.pmp.uni-hannover.de [130.75.117.2])
	by mrelay1.uni-hannover.de (8.14.2/8.14.2) with ESMTP id o1P8VFdN010847;
	Thu, 25 Feb 2010 09:31:17 +0100
Received: from pmp.uni-hannover.de (arc.pmp.uni-hannover.de [130.75.117.1])
	by www.pmp.uni-hannover.de (Postfix) with SMTP
	id 5C0F2D8; Thu, 25 Feb 2010 09:31:15 +0100 (CET)
Date: Thu, 25 Feb 2010 09:31:15 +0100
From: Gerrit =?ISO-8859-1?Q?K=FChn?= <gerrit@pmp.uni-hannover.de>
To: "Scott, Brian" <brian.scott4@det.nsw.edu.au>
Message-Id: <20100225093115.c5a83239.gerrit@pmp.uni-hannover.de>
In-Reply-To: <B9FD027E84F6EE4783263F5393E72655011D4D8D@ALF2.riverina.det.win>
References: <20100224112311.73ac53f6.gerrit@pmp.uni-hannover.de>
	<B9FD027E84F6EE4783263F5393E72655011D4D8D@ALF2.riverina.det.win>
Organization: Albert-Einstein-Institut (MPI =?ISO-8859-1?Q?f=FCr?=
	Gravitationsphysik & IGP =?ISO-8859-1?Q?Universit=E4t?= Hannover)
X-Mailer: Sylpheed 2.7.1 (GTK+ 2.18.4; i386-portbld-freebsd7.0)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-PMX-Version: 5.5.9.388399, Antispam-Engine: 2.7.2.376379,
	Antispam-Data: 2010.2.25.82125
Cc: freebsd-stable@freebsd.org
Subject: Re: nss_ldap and multiple group memberships
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Feb 2010 08:31:23 -0000

On Thu, 25 Feb 2010 11:17:32 +1100 "Scott, Brian"
<brian.scott4@det.nsw.edu.au> wrote about RE: nss_ldap and multiple group
memberships:

SB> It depends on the type of group. There are at least two types of group
SB> objects that you can use in LDAP but only one of them works. You need
SB> to use posixGroup objects for unix groups. As I remember it, these
SB> have memberUid attributes for the member ids. These are simple unix
SB> identifiers. groupOfNames objects on the other hand have full
SB> distinguished names with 'member' attributes and can't be used by
SB> nss_ldap.

The server is running openldap under SLES and is not under my control.
ldapsearch gives group entries like

# lisa, group, aei.uni-hannover.de
dn: cn=lisa,ou=group,dc=aei,dc=uni-hannover,dc=de
cn: lisa
displayName: lisa
gidNumber: 1003
member: uid=gekueh,ou=people,dc=aei,dc=uni-hannover,dc=de


So this would be the first case, I guess.

SB> The idea is that posixGroup and posixAccount mimic the unix files so
SB> extraction of the data is fast. If the software used a groupOfNames
SB> object then the returned member names would need to queried as
SB> additional transactions to find the uid's of those entries that had
SB> posixAccount information. This is because the original authentication
SB> was done by pam_ldap and that just returned a UID to the system. If it
SB> returned the LDAP distinguished name to the system, and if that could
SB> then be passed into nss_ldap it would be possible to do the LDAP query
SB> in a single transaction. But then that all breaks down if you
SB> authenticate with something else like GSSAPI. If that was the case you
SB> would need to first search for the posixAccount object of the
SB> authenticated user (&(objectClass=posixAccount)(uid=1001)) and then
SB> search for all the group of names containing that distinguished name (&
SB> (objectClass=groupOfNames)
SB> (member=uid=bscott,ou=People,dc=netlab,dc=albury,dc=tafe)). That's two
SB> transactions and seems unnecessarily wasteful. Mind you, if it was an
SB> option I'd probably turn it on.

Thanks for this fine explanation. I do not use GSS. However, I found the
following configuration option in (nss) ldap.conf that helped me:

nss_map_attribute uniqueMember member

After commenting this in, everything seems to work fine:

penumbra# id gekueh
uid=1030(gekueh) gid=1012(aei) groups=1012(aei),1003(lisa)

Maybe this could be mentioned somewhere in the documentation? I used
<http://www.freebsd.org/doc/en/articles/ldap-auth/client.html> to set up
the client, but the information I got from this article were rather
sparse and led me the wrong path more than once.


cu
  Gerrit