Re: [389-users] getent group returns empty group list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, 2010-02-13 at 16:58 -0500, John A. Sullivan III wrote:
> On Sat, 2010-02-13 at 12:11 -0800, Morris, Patrick wrote:
> > John A. Sullivan III wrote:
> > > Hello, all.  I'm having a miserable time getting CUPS to work with
> > > Directory Server for group authentication.  I think it is more
> > > fundamental than CUPS.  When I do getent group <groupname> to a local
> > > group, the result is populated with members.  However, if I do it for an
> > > LDAP group, the group is returned but with no members.  What would cause
> > > such behavior? Do I need something other than default NSS mappings?
> > >
> > > I am running CentOS Directory Server 8.1 on CentOS 5.4.  The client is
> > > running Debian Lenny.  Thanks - John
> > >   
> > 
> > The most likely reason is that how your system expects the groups to be 
> > set up (i.e, a list of usernames vs. a list of DNs, the objectClass to 
> > consider a Unix a group, etc.) does not match what your data actually 
> > looks like.
> > 
> > Without any data about how you've got things configured on the client 
> > and in the LDAp database, though, it's pretty hard to say where that 
> > disconnect might be.
> <snip>
> Any pointers to where to look, normal configurations, documents to read?
> We are a secure multi-tenant environment so various groups are in
> various portions of the tree.  This print server needs to service all
> clients and this is able to search from the root of the tree.  Thanks -
> John
<snip>
At long last I think I see it.  FDS has create groups with object class
groupofuniquenames to which we have added an objectclass of posixgroup
but it is only populated with uniquemember and not memberuid.  It looks
like I have two options:

1) Define nss_map_objectclass posixgroup groupofuniquenames:
This works for getent group but seems to make id hang.  I think this
also creates a problem in that the user groups, i.e., the posixgroup
created for each uid, will not be mapped.

2) Define all the memberuids in each group:
This means an extra administrative step (is there anyway to automate
this from the uniquemembers attribute?) and exposure to human error.

My guess is that option 2 is the correct way to go.  Is that true?
Thanks - John

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users

[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux