Hello
Thanks fort he hint!
I had to add
ldap_default_bind_dn
ldap_default_authtok
to my sssd.conf and it worked!
Strange is that groups and people can be resolved without the additional config. So groups and netgroups are handled differently.
Thanks a lot,
Tibor
Von: Mark Reynolds <mareynol@xxxxxxxxxx>
Gesendet: Dienstag, 11. Januar 2022 15:00
An: General discussion list for the 389 Directory server project. <389-users@xxxxxxxxxxxxxxxxxxxxxxx>; Dudas Tibor ABRAXAS <Tibor.Dudas@xxxxxxxxxx>
Betreff: Re: [389-users] getent netgroup <mynetgroup> yields no hits
On 1/11/22 2:51 AM, Dudas Tibor ABRAXAS wrote:
Hello
I would like to configure authentication and authorization via nisNetgroups in 389ds. With "getent" on the 389ds client I see my groups and my users. If I query the netgroup via "getent netgroup <my_netgroup>" I do not
get any hit.
My netgroup you see below.
The log says:
tail -f /var/log/dirsrv/slapd-localhost/access
[29/Dec/2021:12:11:14.350690263 +0100] conn=851 op=13 SRCH base="ou=netgroup,dc=example,dc=com" scope=2 filter="(&(cn=qausers)(objectClass=nisNetgroup))" attrs="objectClass cn memberNisNetgroup nisNetgroupTriple modifyTimestamp [29/Dec/2021:12:11:14.351130562
+0100] conn=851 op=13 RESULT err=0 tag=101 nentries=0 wtime=0.000194950 optime=0.000443964 etime=0.000636159
The last entries mean:
err=0: no error
tag=101: it was a search
nentries=0: no hits for the search
nentries=0 could also mean that access control denied the search results. Since using Directory Manager below works that is a tell tail sign that the search that is failing above is either being done anonymously or by a user who does not have permission
to search the database. So look in the logs for conn=851 and find the BIND dn.
HTH,
Mark
But ldap search with the same parameters yields the netgroup:
ldapsearch -x -D "cn=Directory Manager" -W -H
ldaps://server.example.com -b ou=netgroup,dc=example,dc=com "(&(cn=qausers)(objectClass=nisNetgroup))" objectClass cn memberNisNetgroup nisNetgroupTriple modifyTimestamp
dn: cn=qausers,ou=netgroup,dc=example,dc=com
objectClass: nisNetgroup
objectClass: top
cn: qausers
nisNetgroupTriple: (,alice,)
nisNetgroupTriple: (,eve,)
nisNetgroupTriple: (server.example.com,-,-)
nisNetgroupTriple: (server,-,-)
modifyTimestamp: 20211229105114Z
I replaced the real server name by server.example.com and deleted all quotes.
My nsswitch.conf contains
netgroup: files ldap sss
My sssd.conf contains:
ldap_netgroup_search_base = ou=netgroup,dc=example,dc=com
ldap_netgroup_object_class = nisNetgroup
ldap_netgroup_triple = nisNetgroupTriple
My 389ds-instance is created via
cat instance.inf
[general]
config_version = 2
[slapd]
root_password = my_pw
[backend-userroot]
sample_entries = yes
suffix = dc=example,dc=com
My client is configured via "authconfig-tui".
I already looked for special, normally unseen characters in the config files with "cat -vet /etc/sssd/sssd.conf" and "cat -vet /etc/nsswitch.conf", but did not find any.
Does it play a role, that the 389ds server and client see each other via entries in the /etc/hosts? I would assume "no", as getent can resolve both groups and users.
Can you help?
Best Regards, Tibor
--
Tibor Dudas
ICT-System-Ingenieur
Enterprise Applications
Abraxas Informatik AG
The Circle 68 | CH-8058 Zürich-Flughafen
Direkt +41 58 660 24 83
tibor.dudas@xxxxxxxxxx |
www.abraxas.ch
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
--
Directory Server Development Team
