Sorry for late response. Yes, it resolves the DN properly along with secondary groups. [psundaram at ldap02 ~]$ id psundaram uid=2100(psundaram) gid=1000(staff) groups=1050(people),2000(admins),1000(staff) I will test the mapping attribute in a week or so. -Prashanth On Thu, 2010-05-06 at 14:45 -0400, Prashanth Sundaram wrote: > I got around this by changing the ldap.conf. > > pam_filter objectclass=posixAccount > pam_member_attribute uniquemember > > I haven;t tested this but you can also map the memberuid and memberof > to Uniquememember. So the nss_ldap checks the uniquemember value every > time. > > nss_map_attribute memberuid uniqueMember > nss_map_attribute member uniqueMember > > My Group looks like this. > dn: cn=GROUP1,ou=Group,dc=DOMAIN,dc=COM > objectClass: groupOfUniqueNames > objectClass: posixGroup > objectClass: top > gidNumber: 3300 > uniqueMember: uid=userid1,ou=People,dc=DOMAIN,dc=COM > uniqueMember: uid=userid2,ou=People,dc=DOMAIN,dc=COM > uniqueMember: uid=userid3,ou=People,dc=DOMAIN,dc=COM > uniqueMember: uid=userid4,ou=People,dc=DOMAIN,dc=COM > uniqueMember: uid=userid5,ou=People,dc=DOMAIN,dc=COM <snip> Does getent properly handle the DN? I may be wrong but I thought I tried this and it failed. I could easily have messed up due to my ignorance. Thanks - John -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20100510/a7fdbb1c/attachment.html
