From owner-freebsd-questions@FreeBSD.ORG Mon Apr 25 18:15:19 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 609A816A4CE for ; Mon, 25 Apr 2005 18:15:19 +0000 (GMT) Received: from mailhost.frm2.tum.de (mailhost.frm2.tum.de [129.187.179.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1982743D41 for ; Mon, 25 Apr 2005 18:15:16 +0000 (GMT) (envelope-from Joerg.Pulz@frm2.tum.de) Received: from localhost (mailhost.frm2.tum.de [129.187.179.12]) by mailhost.frm2.tum.de (8.13.1/8.13.1) with ESMTP id j3PIFCnr083420; Mon, 25 Apr 2005 20:15:12 +0200 (CEST) (envelope-from jpulz@frm2.tum.de) Received: from hades.admin.frm2 (hades.admin.frm2 [172.25.1.10]) by mailhost.frm2.tum.de (8.13.1/8.13.1) with ESMTP id j3PIF8uI083416 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 25 Apr 2005 20:15:08 +0200 (CEST) (envelope-from jpulz@frm2.tum.de) Received: from hades.admin.frm2 (localhost [127.0.0.1]) by hades.admin.frm2 (8.13.3/8.13.3) with ESMTP id j3PIF8FO015816; Mon, 25 Apr 2005 20:15:08 +0200 (CEST) (envelope-from jpulz@frm2.tum.de) Received: (from jpulz@localhost) by hades.admin.frm2 (8.13.3/8.13.3/Submit) id j3PIF71R015815; Mon, 25 Apr 2005 20:15:07 +0200 (CEST) (envelope-from jpulz) Date: Mon, 25 Apr 2005 20:15:05 +0200 (CEST) From: Joerg Pulz To: Don Brearley In-Reply-To: Message-ID: <20050425194851.X955@hades.admin.frm2> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Virus-Scanned: at mailhost.frm2.tum.de cc: freebsd-questions@freebsd.org Subject: Re: OpenLDAP 2.2.25 and FreeBSD 5.3 - group names and gid's X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Apr 2005 18:15:19 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 25 Apr 2005, Don Brearley wrote: > > Hello, > > I am having some problems with OpenLDAP 2.2.25 and FreeBSD 5.3. > > I can currently authenticate against my ldap db, and utilities like id and chown > work with no problem. > > The problem is gid to group name mapping. In my ldif files, I can have a > "uid" entry and a "uidNumber" entry. It would look something like this: > > uid: testuser > uidNumber: 2001 > > and that works. I cannot have a group entry of the same. > > gid: testgroup > gidNumber: 2001 > > OpenLDAP would complain that it couldn't read this file properly.. not until > the "gid:testgroup" entry was removed. > > When I attempt to use an app like "chown" I have to specify the actual > gid number, eg: > > chown -R testuser:2001 /home/testuser > > I was wondering if anyone had found a way to have it so that you could > just enter it by name, and not by number. eg: > > chown -R testuser:testgroup /home/testuser > > Obviously I would have to add a gid entry in my schema file, but I am left > wondering why this isn't already in there.. I dont want to spend a few hours > trying to re-invent the wheel when there is already a reason for it to > not be in there. > > Any help or light on this situation is deeply appreciated. If you need more > information, please let me know and I shall provide it. Hi, i have authentication against OpenLDAP running a long time now and did not experience such a thing. I have splittet the user and group informations in two separate tree's. An example user and the group entry look like this: - --- the user uid=testuser,ou=People,dc=domain,dc=tld objectClass: top objectClass: posixAccount uidNumber: 2001 gecos: Test User loginShell: /bin/tcsh uid: testuser cn: Test User gidNumber: 2001 homeDirectory: /home/testuser userPassword: some_password - --- the group dn: cn=testgroup,ou=Group,dc=domain,dc=tld objectClass: posixGroup objectClass: top cn: testgroup userPassword: * gidNumber: 2001 description: Local Unix group if you configure nss_ldap to the following you will be able to chown(8) with names instead of numbers and id(1) should give you names for the groups too. - --- nss_ldap.conf nss_base_passwd ou=People,dc=domain,dc=tld?one nss_base_group ou=Group,dc=domain,dc=tld?one if i understand your comments right, you have tried to add an "gid" attribute to the user account with objectClass posixAccount, but this will not work. only the numeric gidNumber is allowed for this objectClass. it behaves like flat unix passwd(5) and group(5) files where the numeric gidNumber is stored in passwd(5) and this number is resolved using the group(5) file. please think about it ;-) and try the things above Joerg - -- The beginning is the most important part of the work. -Plato -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQFCbTOrSPOsGF+KA+MRAioiAJ4oSK/EupIQphRIneHcbWSHJ6YcHgCgx1wf EHGs1oXINk95wgKc0IKW75A= =lneJ -----END PGP SIGNATURE-----