Date: Mon, 25 Apr 2005 13:47:41 -0500 From: "Don Brearley" <donbrearley@hcc.mnscu.edu> To: <Joerg.Pulz@frm2.tum.de> Cc: freebsd-questions@freebsd.org Subject: Re: OpenLDAP 2.2.25 and FreeBSD 5.3 - group names and gid's Message-ID: <s26cf508.037@hccgwy.mnscu.edu>
next in thread | raw e-mail | index | archive | help
Joerg, Yeah.. I just discovered my problem was that I wasnt putting appropriate groups into my groups ou when adding users. My mistake. (Doh!) Thanks for your email! - Don >>> Joerg Pulz <Joerg.Pulz@frm2.tum.de> 04/25/05 12:15PM >>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 25 Apr 2005, Don Brearley wrote: > > Hello, > > I am having some problems with OpenLDAP 2.2.25 and FreeBSD 5.3. > > I can currently authenticate against my ldap db, and utilities like id = and chown > work with no problem. > > The problem is gid to group name mapping. In my ldif files, I can have = a > "uid" entry and a "uidNumber" entry. It would look something like this: > > uid: testuser > uidNumber: 2001 > > and that works. I cannot have a group entry of the same. > > gid: testgroup > gidNumber: 2001 > > OpenLDAP would complain that it couldn't read this file properly.. not = until > the "gid:testgroup" entry was removed. > > When I attempt to use an app like "chown" I have to specify the actual > gid number, eg: > > chown -R testuser:2001 /home/testuser > > I was wondering if anyone had found a way to have it so that you could > just enter it by name, and not by number. eg: > > chown -R testuser:testgroup /home/testuser > > Obviously I would have to add a gid entry in my schema file, but I am = left > wondering why this isn't already in there.. I dont want to spend a few = hours > trying to re-invent the wheel when there is already a reason for it to > not be in there. > > Any help or light on this situation is deeply appreciated. If you need = more > information, please let me know and I shall provide it. Hi, i have authentication against OpenLDAP running a long time now and did = not=20 experience such a thing. I have splittet the user and group informations in two separate tree's. An example user and the group entry look like this: - --- the user uid=3Dtestuser,ou=3DPeople,dc=3Ddomain,dc=3Dtld objectClass: top objectClass: posixAccount uidNumber: 2001 gecos: Test User loginShell: /bin/tcsh uid: testuser cn: Test User gidNumber: 2001 homeDirectory: /home/testuser userPassword: some_password - --- the group dn: cn=3Dtestgroup,ou=3DGroup,dc=3Ddomain,dc=3Dtld objectClass: posixGroup objectClass: top cn: testgroup userPassword: * gidNumber: 2001 description: Local Unix group if you configure nss_ldap to the following you will be able to chown(8)=20 with names instead of numbers and id(1) should give you names for the=20 groups too. - --- nss_ldap.conf nss_base_passwd ou=3DPeople,dc=3Ddomain,dc=3Dtld?one nss_base_group ou=3DGroup,dc=3Ddomain,dc=3Dtld?one if i understand your comments right, you have tried to add an "gid"=20 attribute to the user account with objectClass posixAccount, but this = will=20 not work. only the numeric gidNumber is allowed for this objectClass. = it=20 behaves like flat unix passwd(5) and group(5) files where the numeric=20 gidNumber is stored in passwd(5) and this number is resolved using the=20 group(5) file. please think about it ;-) and try the things above Joerg - --=20 The beginning is the most important part of the work. -Plato -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQFCbTOrSPOsGF+KA+MRAioiAJ4oSK/EupIQphRIneHcbWSHJ6YcHgCgx1wf EHGs1oXINk95wgKc0IKW75A=3D =3DlneJ -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?s26cf508.037>