Date: Mon, 8 Mar 2010 21:07:12 +0800 From: "Ling-hua Tseng" <uranus@tinlans.org> To: <freebsd-stable@freebsd.org> Subject: Supplementary groups on LDAP cannot work with RELENG_8 + nss_ldap Message-ID: <F3B6FDBA2D4E44E49C4DFC8CA2F3A182@TinlansPC>
next in thread | raw e-mail | index | archive | help
Today I upgraded 2 of my 4 machines from RELENG_7 to RELENG_8. Both of the 2 machines are just LDAP clients. My LDAP server is still running on RELENG_7, and the remained one is also a LDAP client. All of them were installed OpenLDAP-2.4.21 and nss_ldap-1.265_3. Before I upgrades my system, everything works properly. I added a group named `group1' on LDAP server, and then add a user named `user1' to this group. I can type `id user1' to see the following line: uid=3D3000(user1) gid=3D3000(user1) groups=3D3000(user1),10000(gorup1) Of course, now the following record is already my LDAP server: -- dn: cn=3Dgroup,ou=3Dgroup,dc=3Dmydomain,dc=3Dorg objectClass: posixGroup cn: group1 gidNumber: 10000 memberUid: user1 -- After I upgraded these 2 machines from RELENG_7 to RELENG_8, to type `id user1' could only show the following information: uid=3D3000(user1) gid=3D3000(user1) groups=3D3000(user1) This user's supplementary group was gone, and he couldn't write any group-writable files which had gid 10000 one = the 2 machines. But in my other 2 machines that running on RELENG_7, this problem is still not occured. I have logged the behaviors of RELENG_7 & RELENG_8. Here is the behavior when I type `id user1' on RELENG_7: -- conn=3D1007 op=3D2 SRCH base=3D"ou=3Dpeople,dc=3Dmydomain,dc=3Dorg" = scope=3D1 deref=3D0 = filter=3D"(&(objectClass=3DposixAccount)(uid=3Duser1))" conn=3D1007 op=3D2 SRCH attr=3Duid userPassword uidNumber gidNumber cn = homeDirectory loginShell gecos description objectClass shadowLastChange = shadowMax shadowExpire loginClass conn=3D1007 op=3D3 SRCH base=3D"ou=3Dgroup,dc=3Dmydomain,dc=3Dorg" = scope=3D1 deref=3D0 filter=3D"(&(objectClass=3DposixGroup))" conn=3D1007 op=3D3 SRCH attr=3Dcn userPassword memberUid uniqueMember = gidNumber conn=3D1007 op=3D4 SRCH base=3D"ou=3Dgroup,dc=3Dmydomain,dc=3Dorg" = scope=3D1 deref=3D0 = filter=3D"(&(objectClass=3DposixGroup)(gidNumber=3D3000))" conn=3D1007 op=3D4 SRCH attr=3Dcn userPassword memberUid uniqueMember = gidNumber conn=3D1007 op=3D4 SRCH base=3D"ou=3Dgroup,dc=3Dmydomain,dc=3Dorg" = scope=3D1 deref=3D0 = filter=3D"(&(objectClass=3DposixGroup)(gidNumber=3D3000))" conn=3D1007 op=3D4 SRCH attr=3Dcn userPassword memberUid uniqueMember = gidNumber conn=3D1007 op=3D4 SRCH base=3D"ou=3Dgroup,dc=3Dmydomain,dc=3Dorg" = scope=3D1 deref=3D0 = filter=3D"(&(objectClass=3DposixGroup)(gidNumber=3D10000))" conn=3D1007 op=3D4 SRCH attr=3Dcn userPassword memberUid uniqueMember = gidNumber -- In step 2, it tries to fetch out the full group list from my LDAP = server. According to this information, it can know what user1's supplementary = groups are. RELENG_8: -- conn=3D1008 op=3D2 SRCH base=3D"ou=3Dpeople,dc=3Dmydomain,dc=3Dorg" = scope=3D1 deref=3D0 = filter=3D"(&(objectClass=3DposixAccount)(uid=3Duser1))" conn=3D1008 op=3D2 SRCH attr=3Duid userPassword uidNumber gidNumber cn = homeDirectory loginShell gecos description objectClass shadowLastChange = shadowMax shadowExpire loginClass conn=3D1008 op=3D3 SRCH base=3D"ou=3Dgroup,dc=3Dmydomain,dc=3Dorg" = scope=3D1 deref=3D0 = filter=3D"(&(objectClass=3DposixGroup)(gidNumber=3D3000))" conn=3D1008 op=3D3 SRCH attr=3Dcn userPassword memberUid uniqueMember = gidNumber conn=3D1008 op=3D3 SRCH base=3D"ou=3Dgroup,dc=3Dmydomain,dc=3Dorg" = scope=3D1 deref=3D0 = filter=3D"(&(objectClass=3DposixGroup)(gidNumber=3D3000))" conn=3D1008 op=3D3 SRCH attr=3Dcn userPassword memberUid uniqueMember = gidNumber -- It never tried to get the group list from LDAP server, hence it's impossible to know user1's supplementary groups. The client settings on RELENG_7 & RELENG_8 are fully consistent, so I don't think it's the problem of my config files. Since my 4 machines use the same version of nss_ldap, to downgrade nss_ldap's version for testing is meaningless. Should this problem is a base system's bug?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F3B6FDBA2D4E44E49C4DFC8CA2F3A182>