From owner-freebsd-questions@FreeBSD.ORG Mon Apr 25 18:43:42 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8572816A4CE for ; Mon, 25 Apr 2005 18:43:42 +0000 (GMT) Received: from hccgwy.mnscu.edu (hccgwy.mnscu.edu [134.29.200.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0AAD243D75 for ; Mon, 25 Apr 2005 18:43:42 +0000 (GMT) (envelope-from donbrearley@hcc.mnscu.edu) Received: from HCC-DOMAIN-MTA by hccgwy.mnscu.edu with Novell_GroupWise; Mon, 25 Apr 2005 13:47:52 -0500 Message-Id: X-Mailer: Novell GroupWise Internet Agent 6.0.4 Date: Mon, 25 Apr 2005 13:47:41 -0500 From: "Don Brearley" To: Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Content-Disposition: inline cc: freebsd-questions@freebsd.org Subject: Re: OpenLDAP 2.2.25 and FreeBSD 5.3 - group names and gid's X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Apr 2005 18:43:42 -0000 Joerg, Yeah.. I just discovered my problem was that I wasnt putting appropriate groups into my groups ou when adding users. My mistake. (Doh!) Thanks for your email! - Don >>> Joerg Pulz 04/25/05 12:15PM >>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 25 Apr 2005, Don Brearley wrote: > > Hello, > > I am having some problems with OpenLDAP 2.2.25 and FreeBSD 5.3. > > I can currently authenticate against my ldap db, and utilities like id = and chown > work with no problem. > > The problem is gid to group name mapping. In my ldif files, I can have = a > "uid" entry and a "uidNumber" entry. It would look something like this: > > uid: testuser > uidNumber: 2001 > > and that works. I cannot have a group entry of the same. > > gid: testgroup > gidNumber: 2001 > > OpenLDAP would complain that it couldn't read this file properly.. not = until > the "gid:testgroup" entry was removed. > > When I attempt to use an app like "chown" I have to specify the actual > gid number, eg: > > chown -R testuser:2001 /home/testuser > > I was wondering if anyone had found a way to have it so that you could > just enter it by name, and not by number. eg: > > chown -R testuser:testgroup /home/testuser > > Obviously I would have to add a gid entry in my schema file, but I am = left > wondering why this isn't already in there.. I dont want to spend a few = hours > trying to re-invent the wheel when there is already a reason for it to > not be in there. > > Any help or light on this situation is deeply appreciated. If you need = more > information, please let me know and I shall provide it. Hi, i have authentication against OpenLDAP running a long time now and did = not=20 experience such a thing. I have splittet the user and group informations in two separate tree's. An example user and the group entry look like this: - --- the user uid=3Dtestuser,ou=3DPeople,dc=3Ddomain,dc=3Dtld objectClass: top objectClass: posixAccount uidNumber: 2001 gecos: Test User loginShell: /bin/tcsh uid: testuser cn: Test User gidNumber: 2001 homeDirectory: /home/testuser userPassword: some_password - --- the group dn: cn=3Dtestgroup,ou=3DGroup,dc=3Ddomain,dc=3Dtld objectClass: posixGroup objectClass: top cn: testgroup userPassword: * gidNumber: 2001 description: Local Unix group if you configure nss_ldap to the following you will be able to chown(8)=20 with names instead of numbers and id(1) should give you names for the=20 groups too. - --- nss_ldap.conf nss_base_passwd ou=3DPeople,dc=3Ddomain,dc=3Dtld?one nss_base_group ou=3DGroup,dc=3Ddomain,dc=3Dtld?one if i understand your comments right, you have tried to add an "gid"=20 attribute to the user account with objectClass posixAccount, but this = will=20 not work. only the numeric gidNumber is allowed for this objectClass. = it=20 behaves like flat unix passwd(5) and group(5) files where the numeric=20 gidNumber is stored in passwd(5) and this number is resolved using the=20 group(5) file. please think about it ;-) and try the things above Joerg - --=20 The beginning is the most important part of the work. -Plato -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQFCbTOrSPOsGF+KA+MRAioiAJ4oSK/EupIQphRIneHcbWSHJ6YcHgCgx1wf EHGs1oXINk95wgKc0IKW75A=3D =3DlneJ -----END PGP SIGNATURE-----