Re: LDAP group memberships not working

[Buchan Milne <bgmilne@staff.telkomsa.net>]

On Thursday 12 June 2008 15:45:22 Doug Grantham wrote:

> dn:  cn=AAA,ou=group,dc=mydomain,dc=edu
> cn:  AAA
> gidNumber:  601
> member:  uid=USER1,ou=people,dc=mydomain,dc=edu
> member:  uid=USER2,ou=people,dc=mydomain,dc=edu
> member:  uid=USER3,ou=people,dc=mydomain,dc=edu
> objectClass: top
> objectClass: posixGroup
> objectClass: groupofnames
>
> dn:  cn=BBB,ou=group,dc=mydomain,dc=edu
> cn:  BBB
> gidNumber:  602
> member:  uid=USER1,ou=people,dc=mydomain,dc=edu
> member:  uid=USER3,ou=people,dc=mydomain,dc=edu
> objectClass: top
> objectClass: posixGroup
> objectClass: groupofnames
>
> dn:  cn=CCC,ou=group,dc=mydomain,dc=edu
> cn:  CCC
> gidNumber:  603
> member:  uid=USER1,ou=people,dc=mydomain,dc=edu
> member:  uid=USER2,ou=people,dc=mydomain,dc=edu
> member:  uid=USER4,ou=people,dc=mydomain,dc=edu
> objectClass: top
> objectClass: posixGroup
> objectClass: groupofnames
>
>
>
>
> This has been a really weird problem. The default groups are getting
> properly set but none of the other memberships are working. I've not found
> any help online and I'm pulling my hair out!

You are using rfc2307nis groups, I know the Solaris LDAP client doesn't use 
them by default. I don't see any information in the ldapclient man page 
regarding using DN-valued attributes for group membership.

For now, the best option may be to write a simple script which retrieves the 
member attributes, then retrieves the uid attribute for the member DNs, and 
populates them into the memberUid attribute for the group.

The autogroup module in contrib in 2.4 *may* be able to help you here (I 
haven't looked in detail).

Regards,
Buchan