[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: dynlist and group membership (libnss-ldap, posixGroup, samba)

Felipe Augusto van de Wiel <felipe.wiel@hpp.org.br> writes:

> Hi,
> 	I'm afraid I'm missing something very simple
> here and it is likely that the issue is on libnss-ldap
> and not on OpenLDAP dynlist overlay, I just want to make
> sure everything is fine regarding OpenLDAP configuration.
> 	I'm using Debian 5.0 (Lenny) and OpenLDAP 2.4.11
> (Debian packaged version). I'm also using rfc2307bis and
> I would like to have a dynamic group with all non-disabled
> Samba users. Not sure if it is recommended to send the
> full slapd.conf, so I'm just sending the parts I added in
> order to have the dynlist/"dynamic group".
> /etc/ldap/slapd.conf:
> include /etc/ldap/schema/dyngroup.schema
> ...
> overlay dynlist
> dynlist-attrset posixGroup labeledURI member
> $ ldapsearch -x cn=active-samba-users
> dn: cn=active-samba-users,ou=Groups,dc=ahpi,dc=org
> objectClass: top
> objectClass: groupOfNames
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> objectClass: labeledURIObject
> cn: active-samba-users
> gidNumber: 999
> sambaSID: S-1-5-21-1234567899-1234567899-123456789-2999
> sambaGroupType: 2
> displayName: active samba users
> labeledURI: ldap:///ou=People,?uid?sub?(&(objectClass=posixAccount)(objectClass=sambaSAMAccount)(!(sambaAcctFlags=*D*)))
> 	When I run the search above I do get the
> expected results, several 'member' fields are
> added to the response:
> member: uid=userA,ou=People,dc=ahpi,dc=org
> member: uid=userB,ou=People,dc=ahpi,dc=org

That is what the dynlist overlay and the labeledURI attribute value
provide, according to your configuration.
> 	The problem, is that I would expect and
> 'id userA' to include group 'active-samba-users'
> but it doesn't. But 'getent group active-samba-users'
> includes all the users:
> active-samba-users:*:999:userA,userB

modify the dynlist overlay configuration and rewrite the labeledURI
attribute value in order to match your requirements.


Dieter Klünter | Systemberatung
sip: +49.40.20932173