Date: Wed, 24 Feb 2010 19:21:08 -0500 From: "Peter C. Lai" <peter@simons-rock.edu> To: "Scott, Brian" <brian.scott4@det.nsw.edu.au> Cc: Gerrit =?iso-8859-1?Q?K=FChn?= <gerrit@pmp.uni-hannover.de>, freebsd-stable@freebsd.org Subject: Re: nss_ldap and multiple group memberships Message-ID: <20100225002107.GU4648@cesium.hyperfine.info> In-Reply-To: <B9FD027E84F6EE4783263F5393E72655011D4D8D@ALF2.riverina.det.win> References: <20100224112311.73ac53f6.gerrit@pmp.uni-hannover.de> <B9FD027E84F6EE4783263F5393E72655011D4D8D@ALF2.riverina.det.win>
next in thread | previous in thread | raw e-mail | index | archive | help
Wow this is a really well written explanation. On 2010-02-25 11:17:32AM +1100, Scott, Brian wrote: > It depends on the type of group. There are at least two types of group ob= jects that you can use in LDAP but only one of them works. You need to use = posixGroup objects for unix groups. As I remember it, these have memberUid = attributes for the member ids. These are simple unix identifiers. groupOfNa= mes objects on the other hand have full distinguished names with 'member' a= ttributes and can't be used by nss_ldap. >=20 > The idea is that posixGroup and posixAccount mimic the unix files so extr= action of the data is fast. If the software used a groupOfNames object then= the returned member names would need to queried as additional transactions= to find the uid's of those entries that had posixAccount information. This= is because the original authentication was done by pam_ldap and that just = returned a UID to the system. If it returned the LDAP distinguished name to= the system, and if that could then be passed into nss_ldap it would be pos= sible to do the LDAP query in a single transaction. But then that all break= s down if you authenticate with something else like GSSAPI. If that was the= case you would need to first search for the posixAccount object of the aut= henticated user (&(objectClass=3DposixAccount)(uid=3D1001)) and then search= for all the group of names containing that distinguished name (&(objectCla= ss=3DgroupOfNames)(member=3Duid=3Dbscott,ou=3DPeople,dc=3Dnetlab,dc=3Dalbur= y,dc=3Dtafe)). That's two transactions and seems unnecessarily wasteful. Mi= nd you, if it was an option I'd probably turn it on. >=20 > Brian >=20 >=20 > -----Original Message----- > From: owner-freebsd-stable@freebsd.org [mailto:owner-freebsd-stable@freeb= sd.org] On Behalf Of Gerrit K=FChn > Sent: Wednesday, 24 February 2010 9:23 PM > To: freebsd-stable@freebsd.org > Subject: nss_ldap and multiple group memberships >=20 > Hi all, >=20 > Is anyone here using nss_ldap and can successfully get it to work with mu= ltiple group memberships? I would really like to get this to work here, but= I only get the primary group: >=20 > penumbra# id gekueh > uid=3D1030(gekueh) gid=3D1012(aei) groups=3D1012(aei) >=20 > getent group comes up with the complete group list. ldapsearch reports th= ree groups with member:-lines for my user. Somehow nss does not pick this u= p. Any ideas? >=20 >=20 > cu > Gerrit > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" > ********************************************************************** > This message is intended for the addressee named and may contain > privileged information or confidential information or both. If you > are not the intended recipient please delete it and notify the sender. > ********************************************************************** > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" --=20 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D Peter C. Lai | Bard College at Simon's Rock Systems Administrator | 84 Alford Rd. Information Technology Svcs. | Gt. Barrington, MA 01230 USA peter AT simons-rock.edu | (413) 528-7428 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100225002107.GU4648>