[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: PAM and LDAP Problem

To: "Norm Dressler" <ndressler@dinmar.com>
Subject: Re: PAM and LDAP Problem
From: "Chris Garrigues" <cwg-oldap-sw@deepeddy.com>
Date: Thu, 05 Jul 2001 14:15:58 -0500
Cc: openldap-software@OpenLDAP.org
In-reply-to: <NEBBKIMKGKLKGAOABJPKIEAJCOAA.ndressler@dinmar.com>
Mail-reply-to: cwg-oldap-sw@DeepEddy.Com
References: <NEBBKIMKGKLKGAOABJPKIEAJCOAA.ndressler@dinmar.com>

> From:  "Norm Dressler" <ndressler@dinmar.com>
> Date:  Thu, 5 Jul 2001 15:08:35 -0400
>
> Not sure if this is the right place for the question, but I?m certain
> someone out there must be using it.
> 
> I have set up my ldap server, and its working fine.  I can log into my
> RedHat 7.0 linux box using an LDAP account with no problems.
> 
> I have tried to establish groups in my LDAP directory as well.  I am using 
> a
> tool called directory_administrator and its working great.  It creates the
> following in my ldap:
> dn: cn=mygroup,dc=dinmar,dc=com
> objectclass: top
> objectclass: posixGroup
> cn: mygroup
> gidnumber: 2005
> uniquemember: uid=ndressler, dc=dinmar,dc=com
> 
> The problem is, my Linux box doesn?t seem to recognize these groups.  I?ve
> implemented the PAM modules from padl.com as per their instructions
> (although they are using a version 2 of ldap, while I?m using version 1.2.12
> (because I need samba support in there as well).
> 
> I created a directory called /groups/mygroup.  I chowned it to chown ?R
> :2005 mygroup, and chmod ?R 770 mygroup.  When I log in as ndressler, it
> gives me an access denied to the directory.
> 
> I?m not sure where to begin looking ? any hints?

If you look at the definition of a posixGroup:

objectclass ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' SUP top STRUCTURAL
	DESC 'Abstraction of a group of accounts'
	MUST ( cn $ gidNumber )
	MAY ( userPassword $ memberUid $ description ) )

you won't find a uniqueMember attribute, instead you'll find a memberUid group.

memberUid contains member names, so you instead want something like this:

dn: cn=mygroup,dc=dinmar,dc=com
objectclass: top
objectclass: posixGroup
cn: mygroup
gidnumber: 2005
memberuid: ndressler

seems that directory_administrator has a non-standard idea of what a group is.

Chris

-- 
Chris Garrigues                 http://www.DeepEddy.Com/~cwg/
virCIO                          http://www.virCIO.Com
4314 Avenue C                   
Austin, TX  78751-3709		+1 512 374 0500

  My email address is an experiment in SPAM elimination.  For an
  explanation of what we're doing, see http://www.DeepEddy.Com/tms.html 

    Nobody ever got fired for buying Microsoft,
      but they could get fired for relying on Microsoft.

Attachment: pgpvTE5Pl6NZ9.pgp
Description: PGP signature

Follow-Ups:
- RE: PAM and LDAP Problem
  - From: "Norm Dressler" <ndressler@dinmar.com>

References:
- PAM and LDAP Problem
  - From: "Norm Dressler" <ndressler@dinmar.com>

Prev by Date: PAM and LDAP Problem
Next by Date: RE: PAM and LDAP Problem
Index(es):
- Chronological
- Thread