Re: nss_ldap and multiple group memberships
On Thu, 25 Feb 2010 15:10:03 +1100 "Scott, Brian" wrote about RE: nss_ldap and multiple group memberships: SB> It looks like you may need to uncomment the line '#nss_map_attribute SB> uniqueMember member' in your ldap.conf to then use the correct SB> attribute name. Yes, that's exactly the solution here. I got this from reading the config files of a working Linux client that uses the same nss libraries. Thank you for your support! cu Gerrit ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: nss_ldap and multiple group memberships
On Thu, 25 Feb 2010 11:17:32 +1100 "Scott, Brian" wrote about RE: nss_ldap and multiple group memberships: SB> It depends on the type of group. There are at least two types of group SB> objects that you can use in LDAP but only one of them works. You need SB> to use posixGroup objects for unix groups. As I remember it, these SB> have memberUid attributes for the member ids. These are simple unix SB> identifiers. groupOfNames objects on the other hand have full SB> distinguished names with 'member' attributes and can't be used by SB> nss_ldap. The server is running openldap under SLES and is not under my control. ldapsearch gives group entries like # lisa, group, aei.uni-hannover.de dn: cn=lisa,ou=group,dc=aei,dc=uni-hannover,dc=de cn: lisa displayName: lisa gidNumber: 1003 member: uid=gekueh,ou=people,dc=aei,dc=uni-hannover,dc=de So this would be the first case, I guess. SB> The idea is that posixGroup and posixAccount mimic the unix files so SB> extraction of the data is fast. If the software used a groupOfNames SB> object then the returned member names would need to queried as SB> additional transactions to find the uid's of those entries that had SB> posixAccount information. This is because the original authentication SB> was done by pam_ldap and that just returned a UID to the system. If it SB> returned the LDAP distinguished name to the system, and if that could SB> then be passed into nss_ldap it would be possible to do the LDAP query SB> in a single transaction. But then that all breaks down if you SB> authenticate with something else like GSSAPI. If that was the case you SB> would need to first search for the posixAccount object of the SB> authenticated user (&(objectClass=posixAccount)(uid=1001)) and then SB> search for all the group of names containing that distinguished name (& SB> (objectClass=groupOfNames) SB> (member=uid=bscott,ou=People,dc=netlab,dc=albury,dc=tafe)). That's two SB> transactions and seems unnecessarily wasteful. Mind you, if it was an SB> option I'd probably turn it on. Thanks for this fine explanation. I do not use GSS. However, I found the following configuration option in (nss) ldap.conf that helped me: nss_map_attribute uniqueMember member After commenting this in, everything seems to work fine: penumbra# id gekueh uid=1030(gekueh) gid=1012(aei) groups=1012(aei),1003(lisa) Maybe this could be mentioned somewhere in the documentation? I used <http://www.freebsd.org/doc/en/articles/ldap-auth/client.html> to set up the client, but the information I got from this article were rather sparse and led me the wrong path more than once. cu Gerrit ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
RE: nss_ldap and multiple group memberships
I hate people who contradict themselves with follow up emails. On this occasion however... Since writing my earlier email I've done some digging around. What I have found is that nss_ldap can use uniqueMember attributes as an alternative to memberUid attributes. The rub is that the standard structure for posixGroup doesn't allow combination with groupOfUniqueNames and groupOfUniqueNames isn't what it sounds like anyway, and uniqueMember is also not the attribute you should be using. However, if you were to tweak the schema for posixGroup to make it an auxiliary class as per rfc2307bis (an expired proposal http://ietfreport.isoc.org/idref/draft-howard-rfc2307bis/) and use a combination of posixGroup and groupOfNames you could have member attributes (i.e. full Distinguished Names) as you member names. It looks like you may need to uncomment the line '#nss_map_attribute uniqueMember member' in your ldap.conf to then use the correct attribute name. I haven't actually tried any of this but I might give it a try on a test machine sometime in the next few weeks. I must say that I'm not a fan of fiddling with a standard schema but the idea of using a single type of group (combined posixGroup/groupOfNames) for everything is extremely tempting. Enjoy, Brian -Original Message- From: owner-freebsd-sta...@freebsd.org [mailto:owner-freebsd-sta...@freebsd.org] On Behalf Of Scott, Brian Sent: Thursday, 25 February 2010 11:18 AM To: Gerrit Kühn; freebsd-stable@freebsd.org Subject: RE: nss_ldap and multiple group memberships It depends on the type of group. There are at least two types of group objects that you can use in LDAP but only one of them works. You need to use posixGroup objects for unix groups. As I remember it, these have memberUid attributes for the member ids. These are simple unix identifiers. groupOfNames objects on the other hand have full distinguished names with 'member' attributes and can't be used by nss_ldap. The idea is that posixGroup and posixAccount mimic the unix files so extraction of the data is fast. If the software used a groupOfNames object then the returned member names would need to queried as additional transactions to find the uid's of those entries that had posixAccount information. This is because the original authentication was done by pam_ldap and that just returned a UID to the system. If it returned the LDAP distinguished name to the system, and if that could then be passed into nss_ldap it would be possible to do the LDAP query in a single transaction. But then that all breaks down if you authenticate with something else like GSSAPI. If that was the case you would need to first search for the posixAccount object of the authenticated user (&(objectClass=posixAccount)(uid=1001)) and then search for all the group of names containing that distinguished name (&(objectClass=groupOfNames)(member=uid=bscott,ou=People,dc=netlab,dc=albury,dc=tafe)). That's two transactions and seems unnecessarily wasteful. Mind you, if it was an option I'd probably turn it on. Brian -Original Message- From: owner-freebsd-sta...@freebsd.org [mailto:owner-freebsd-sta...@freebsd.org] On Behalf Of Gerrit Kühn Sent: Wednesday, 24 February 2010 9:23 PM To: freebsd-stable@freebsd.org Subject: nss_ldap and multiple group memberships Hi all, Is anyone here using nss_ldap and can successfully get it to work with multiple group memberships? I would really like to get this to work here, but I only get the primary group: penumbra# id gekueh uid=1030(gekueh) gid=1012(aei) groups=1012(aei) getent group comes up with the complete group list. ldapsearch reports three groups with member:-lines for my user. Somehow nss does not pick this up. Any ideas? cu Gerrit ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org" ** This message is intended for the addressee named and may contain privileged information or confidential information or both. If you are not the intended recipient please delete it and notify the sender. ** ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org" ** This message is intended for the addressee named and may contain privileged information or confidential information or both. If you are not the intended recipient please delete it and notify the sender.
Re: nss_ldap and multiple group memberships
Wow this is a really well written explanation. On 2010-02-25 11:17:32AM +1100, Scott, Brian wrote: > It depends on the type of group. There are at least two types of group > objects that you can use in LDAP but only one of them works. You need to use > posixGroup objects for unix groups. As I remember it, these have memberUid > attributes for the member ids. These are simple unix identifiers. > groupOfNames objects on the other hand have full distinguished names with > 'member' attributes and can't be used by nss_ldap. > > The idea is that posixGroup and posixAccount mimic the unix files so > extraction of the data is fast. If the software used a groupOfNames object > then the returned member names would need to queried as additional > transactions to find the uid's of those entries that had posixAccount > information. This is because the original authentication was done by pam_ldap > and that just returned a UID to the system. If it returned the LDAP > distinguished name to the system, and if that could then be passed into > nss_ldap it would be possible to do the LDAP query in a single transaction. > But then that all breaks down if you authenticate with something else like > GSSAPI. If that was the case you would need to first search for the > posixAccount object of the authenticated user > (&(objectClass=posixAccount)(uid=1001)) and then search for all the group of > names containing that distinguished name > (&(objectClass=groupOfNames)(member=uid=bscott,ou=People,dc=netlab,dc=albury,dc=tafe)). > That's two transactions and seems unnecessarily wasteful. Mind you, if it > was an option I'd probably turn it on. > > Brian > > > -Original Message- > From: owner-freebsd-sta...@freebsd.org > [mailto:owner-freebsd-sta...@freebsd.org] On Behalf Of Gerrit Kühn > Sent: Wednesday, 24 February 2010 9:23 PM > To: freebsd-stable@freebsd.org > Subject: nss_ldap and multiple group memberships > > Hi all, > > Is anyone here using nss_ldap and can successfully get it to work with > multiple group memberships? I would really like to get this to work here, but > I only get the primary group: > > penumbra# id gekueh > uid=1030(gekueh) gid=1012(aei) groups=1012(aei) > > getent group comes up with the complete group list. ldapsearch reports three > groups with member:-lines for my user. Somehow nss does not pick this up. Any > ideas? > > > cu > Gerrit > ___ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org" > ** > This message is intended for the addressee named and may contain > privileged information or confidential information or both. If you > are not the intended recipient please delete it and notify the sender. > ** > ___ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org" -- === Peter C. Lai | Bard College at Simon's Rock Systems Administrator| 84 Alford Rd. Information Technology Svcs. | Gt. Barrington, MA 01230 USA peter AT simons-rock.edu | (413) 528-7428 === ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
RE: nss_ldap and multiple group memberships
It depends on the type of group. There are at least two types of group objects that you can use in LDAP but only one of them works. You need to use posixGroup objects for unix groups. As I remember it, these have memberUid attributes for the member ids. These are simple unix identifiers. groupOfNames objects on the other hand have full distinguished names with 'member' attributes and can't be used by nss_ldap. The idea is that posixGroup and posixAccount mimic the unix files so extraction of the data is fast. If the software used a groupOfNames object then the returned member names would need to queried as additional transactions to find the uid's of those entries that had posixAccount information. This is because the original authentication was done by pam_ldap and that just returned a UID to the system. If it returned the LDAP distinguished name to the system, and if that could then be passed into nss_ldap it would be possible to do the LDAP query in a single transaction. But then that all breaks down if you authenticate with something else like GSSAPI. If that was the case you would need to first search for the posixAccount object of the authenticated user (&(objectClass=posixAccount)(uid=1001)) and then search for all the group of names containing that distinguished name (&(objectClass=groupOfNames)(member=uid=bscott,ou=People,dc=netlab,dc=albury,dc=tafe)). That's two transactions and seems unnecessarily wasteful. Mind you, if it was an option I'd probably turn it on. Brian -Original Message- From: owner-freebsd-sta...@freebsd.org [mailto:owner-freebsd-sta...@freebsd.org] On Behalf Of Gerrit Kühn Sent: Wednesday, 24 February 2010 9:23 PM To: freebsd-stable@freebsd.org Subject: nss_ldap and multiple group memberships Hi all, Is anyone here using nss_ldap and can successfully get it to work with multiple group memberships? I would really like to get this to work here, but I only get the primary group: penumbra# id gekueh uid=1030(gekueh) gid=1012(aei) groups=1012(aei) getent group comes up with the complete group list. ldapsearch reports three groups with member:-lines for my user. Somehow nss does not pick this up. Any ideas? cu Gerrit ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org" ** This message is intended for the addressee named and may contain privileged information or confidential information or both. If you are not the intended recipient please delete it and notify the sender. ** ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: nss_ldap and multiple group memberships
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 24/02/2010 10:39, Patrick M. Hausen wrote: > I do not remember where that '?one' came from and what precisely > it does. Voodoo I copied from some obscure "Howto", I figure. > I'd appreciate some feedback on that part ;-) It sets the scope of the LDAP search to the direct children of the search base: ie it only goes one layer into the hierarchy. Alternatives are ?base -- just search the base object or ?sub -- (the default) search the entire hierarchy rooted from the search base. Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkuFBkAACgkQ8Mjk52CukIwq9ACfa5AZ/9dorJ55/p4NEPvvhcGJ XdUAn01BiQ0eYKKAFM3PBnj2ovwMRuLP =J1Jt -END PGP SIGNATURE- ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: nss_ldap and multiple group memberships
Hi, all, On Wed, Feb 24, 2010 at 11:23:11AM +0100, Gerrit Kühn wrote: > Is anyone here using nss_ldap and can successfully get it to work with > multiple group memberships? I would really like to get this to work here, > but I only get the primary group: > > penumbra# id gekueh > uid=1030(gekueh) gid=1012(aei) groups=1012(aei) [r...@devel ~]$ uname -a FreeBSD devel.intern.punkt.de 7.2-RELEASE-p6 FreeBSD 7.2-RELEASE-p6 #0: Mon Feb 22 16:17:54 CET 2010 r...@nanobsd.ka.punkt.de:/var/home/nanobsd/obj/dl320-devel/usr/src/sys/GENERIC amd64 [r...@devel ~]$ pkg_info | grep ldap nss_ldap-1.264_3RFC 2307 NSS module openldap-client-2.4.21 Open source LDAP client implementation pam_ldap-1.8.5 A pam module for authenticating with LDAP [r...@devel ~]$ id uid=10093(ry93) gid=10001(intern) groups=10001(intern),0(wheel) LDAP server is Active Directory on Windows 2003 R2. What precisely do you need? Ah, heck, I'll just attach my config files right away. nss_ldap.conf is just a symlink to ldap.conf. I do not remember where that '?one' came from and what precisely it does. Voodoo I copied from some obscure "Howto", I figure. I'd appreciate some feedback on that part ;-) Best regards, HTH, Patrick -- punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 i...@punkt.de http://www.punkt.de Gf: Jürgen Egeling AG Mannheim 108285 # # nsswitch.conf(5) - name service switch configuration file # $FreeBSD: src/etc/nsswitch.conf,v 1.1.8.1 2009/04/15 03:14:26 kensmith Exp $ # group: cache files ldap hosts: files dns networks: files passwd: cache files ldap shells: files services: compat services_compat: nis protocols: files rpc: files uri ldap://pdc.intern.punkt.de base DC=intern,DC=punkt,DC=de ldap_version 3 binddn *** bindpw *** scope sub idle_timelimit 60 pam_login_attribute msSFU30Name pam_filter objectclass=User pam_password ad nss_map_objectclass posixAccount User nss_map_objectclass posixGroup Group nss_base_passwd ou=Mitarbeiter,dc=intern,dc=punkt,dc=de?one nss_base_group ou=Unixgruppen,dc=intern,dc=punkt,dc=de?one nss_map_attribute uid msSFU30Name nss_map_attribute gecos name nss_map_attribute userPassword unixUserPassword nss_map_attribute homeDirectory unixHomeDirectory nss_map_attribute uniqueMember member nss_map_attribute cn sAMAccountName nss_map_attribute uniquemember msSFU30PosixMember ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
nss_ldap and multiple group memberships
Hi all, Is anyone here using nss_ldap and can successfully get it to work with multiple group memberships? I would really like to get this to work here, but I only get the primary group: penumbra# id gekueh uid=1030(gekueh) gid=1012(aei) groups=1012(aei) getent group comes up with the complete group list. ldapsearch reports three groups with member:-lines for my user. Somehow nss does not pick this up. Any ideas? cu Gerrit ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"