[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: pam_ldap, nss_ldap and rfc2307bis (using member instead of memberUid)

OK I Managed to get at least group memberships (somehow working):

# getent group testers users; id john.doe
testers:*:5001:cn=Dummy,uid=john.doe,ou=People,dc=marcher,dc=name
users:*:5000:cn=Dummy,uid=john.doe,ou=People,dc=marcher,dc=name
uid=1000(john.doe) gid=5000(users) groups=5000(users)

now, why doesn't it work so that I just have john.doe as a member but
instead the full DN of the ldap object?

still looking for ideas :)

thanks,
martin

2009/3/11 Martin <martin@marcher.name>:
> Hi,
>
> 2009/3/4 Dave Ewart <davee@ceu.ox.ac.uk>:
>> You don't explicitly mention this, so I'll just drop this in here:
>> typically, you need to set both pam_groupdn and pam_member_attribute in
>> /etc/pam_ldap.conf
>
> i have set that:
>
> # egrep -v '^$|^#' /etc/pam_ldap.conf
> base dc=marcher,dc=name
> uri ldap://localhost
> ldap_version 3
> pam_groupdn cn=testers,ou=Group,dc=marcher,dc=name
> pam_member_attribute member
> pam_password exop
> nss_schema rfc2307bis
> nss_map_attribute       member  memberUid
>
> also these are the infos I'm getting from pam_ldap right now. I start
> to think I'm in the wrong place with my config (pam_ldap is the right
> place not nss-ldap.conf right?).
>
>
> anyone with ideas?
>
> # getent group|grep 500
> users:*:5000:john.doe
> testers:*:5001:
>
> # getent passwd|grep john
> john.doe:x:1000:5000:,,,:/home/exuser:/bin/bash
>
> # ldapsearch -LLL -x '(gidnumber=*)'
> dn: uid=john.doe,ou=People,dc=marcher,dc=name
> uid: john.doe
> cn: Example User
> objectClass: account
> objectClass: posixAccount
> objectClass: hostObject
> objectClass: authorizedServiceObject
> objectClass: top
> objectClass: shadowAccount
> loginShell: /bin/bash
> uidNumber: 1000
> homeDirectory: /home/exuser
> gecos: ,,,
> host: *
> authorizedService: *
> gidNumber: 5000
>
> dn: cn=users,ou=Group,dc=marcher,dc=name
> gidNumber: 5000
> objectClass: groupOfNames
> objectClass: top
> objectClass: posixGroup
> member: cn=Dummy
> member: uid=john.doe,ou=People,dc=marcher,dc=name
> cn: users
> memberUid: john.doe
>
> dn: cn=testers,ou=Group,dc=marcher,dc=name
> objectClass: groupOfNames
> objectClass: top
> objectClass: posixGroup
> cn: testers
> member: cn=Dummy
> member: uid=john.doe,ou=People,dc=marcher,dc=name
> gidNumber: 5001
>
>
> --
> http://soup.alt.delete.co.at
> http://www.xing.com/profile/Martin_Marcher
> http://www.linkedin.com/in/martinmarcher
>
> You are not free to read this message,
> by doing so, you have violated my licence
> and are required to urinate publicly. Thank you.
>
> Please avoid sending me Word or PowerPoint attachments.
> See http://www.gnu.org/philosophy/no-word-attachments.html
>



-- 
http://soup.alt.delete.co.at
http://www.xing.com/profile/Martin_Marcher
http://www.linkedin.com/in/martinmarcher

You are not free to read this message,
by doing so, you have violated my licence
and are required to urinate publicly. Thank you.

Please avoid sending me Word or PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html
Reply to: