You are not logged in.
Used the wiki for openldap setup for authentication,
`getent passwd` seems to work okay and I can login and update passwords.
But after logging in to an account that's ldap, I notice that only the primary group is shown via `id` and `groups`
looking in journalctl, I see the following cases:
issuing `getent group foo`:
SRCH base="dc=example,dc=org" scope=2 deref=0 filter="(&(objectClass=posixGroup)(cn=foo))"
SRCH attr=member cn memberUid gidNumber
slap_global_control: unrecognized control: 1.3.6.1.4.1.4203.666.5.16
SEARCH RESULT tag=101 err=0 qtime=0.000018 etime=0.000234 nentries=0 text=
issuing `getent group`:
SRCH base="dc=example,dc=org" scope=2 deref=0 filter="(objectClass=posixGroup)"
SRCH attr=member cn memberUid gidNumber
slap_global_control: unrecognized control: 1.3.6.1.4.1.4203.666.5.16
<group(all)> cn=foo,ou=Group,dc=example,dc=org: cn: missing
<group(all)> cn=foo1,ou=Group,dc=example,dc=org: cn: missing
...
<group(all)> cn=foon,ou=Group,dc=example,dc=org: cn: missing
SEARCH RESULT tag=101 err=0 qtime=0.000010 etime=0.000305 nentries=12 text=
the ldap groups above are found, but seemingly generate an error.
issuing `ldapsearch -x -b "dc=example,dc=org" -D "cn=Manager,dc=example,dc=org" -W '(&(objectClass=posixGroup)(cn=foo))`
or `ldapsearch -x -b "dc=example,dc=org" -D "cn=Manager,dc=example,dc=org" -W '(objectClass=posixGroup)`
return the values as expected.
I populated the selected users/groups from /etc/passwd and /etc/group using openldap-migrationtools
The schemas used during openldap configuration:
# TODO: Include further schemas as necessary
include: file:///etc/openldap/schema/core.ldif
# RFC1274: Cosine and Internet X.500 schema
include: file:///etc/openldap/schema/cosine.ldif
# RFC2798: Internet Organizational Person
include: file:///etc/openldap/schema/inetorgperson.ldif
# RFC2307: An Approach for Using LDAP as a Network Information Service
include: file:///etc/openldap/schema/nis.ldif
I don't yet have nscd running to avoid cache problems, and running `nslcd -nd` I see nothing really interesting:
nslcd: [8b4567] <group="foo"> DEBUG: myldap_search(base="dc=example,dc=org", filter="(&(objectClass=posixGroup)(cn=foo))")
nslcd: [8b4567] <group="foo"> DEBUG: ldap_initialize(ldap://127.0.0.1/)
nslcd: [8b4567] <group="foo"> DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] <group="foo"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] <group="foo"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] <group="foo"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] <group="foo"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,10)
nslcd: [8b4567] <group="foo"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,10)
nslcd: [8b4567] <group="foo"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] <group="foo"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] <group="foo"> DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldap://127.0.0.1/")
nslcd: [8b4567] <group="foo"> DEBUG: ldap_result(): end of results (0 total)
and similar with the `cn: missing` lines when issuing `getent group` (nslcd indicates `group(all)`)
Any hints on getting these groups to work?
Also, does anybody use rfc2307.bis? is it worth the trouble to use an obsolete draft?
BTW, haven't tried sss, but I'm presuming if this doesn't work, neither will.
Offline