Trouble assigning user to group in OpenLDAP

sunnysthakur · 09-17-2012, 11:35 AM

Hello,

I am working on setup LDAP Server and facing issue related to assigning user to a group. Below is the LDAP structure i am using.

I have created Users,Groups and Servers ou's and sub ou's added to the same [bugbase,ftp,samba,svn,tcms,wiki] or Users as well as Groups OU.

Logged in as: cn=Manager,dc=bebolabs,dc=net

+--> dc=bebolabs,dc=net (3)
+--> ou=Groups (6)
| ---> ou=bugbase
| ---> ou=ftp
| ---> ou=samba
| ---> ou=svn
| ---> ou=tcms
| ---> ou=wiki
---> ou=Systems
+--> ou=Users (6)
| ---> ou=bugbase
| ---> ou=ftp
| ---> ou=samba
| ---> ou=svn
| ---> ou=tcms
| ---> ou=wiki

Now i created a user under Users->FTP->username ou and group created under Groups->FTP->groupname ou.

I assigned username under Users->FTP to group under Groups->FTP.

But on login from client machine below error is throwing and user is n

[root@ldapclnt ~]# su - sunny
id: cannot find name for group ID 500
[sunny@ldapclnt ~]$ id
uid=500(sunny) gid=500 groups=500
[sunny@ldapclnt ~]$

Please help me on this how to fix this.

Below is my ldapgroup.ldif and ldapuser.ldif

ldapgroup.ldif
dn: cn=sunny,ou=ftp,ou=Groups,dc=bebolabs,dc=net
objectClass: posixGroup
cn: sunny
gidNumber: 500
memberuid: sunny

ldapuser.ldif

dn: uid=sunny,ou=ftp,ou=Users,dc=bebolabs,dc=net
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: sunny
sn: sunny
givenName: sunny
cn: sunny
displayName: sunny
uidNumber: 500
gidNumber: 500
userPassword: {crypt}$1$tayZSy59$DcPHe6xQC3IvlNLE5u1ix1
gecos: sunny
loginShell: /bin/bash
homeDirectory: /home/sunny
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 0
shadowMax: 99999
shadowLastChange: 15240

acid_kewpie · 09-18-2012, 02:39 AM

so what's this group stuff about? Why have you created the "sunny" group inside the ftp ou? Isn't ftp the group they should be a member of? Compare and contrast the group config for a working group.

sunnysthakur · 09-18-2012, 03:46 AM

What i am doing is to create a different ou's for different servers [FTP,samba,svn etc...] so that the users and groups which are under FTP ou will be access to FTP server [which will be ldap client and so on for other servers also]

What i did i created ou's under Groups and Users so that user under FTP ou should have group under Groups->FTP.

This what i am trying to do...

Can you please help me on this if this possible scenario.

acid_kewpie · 09-18-2012, 03:53 AM

right so again, compare these things. What is the config for pulling the ldap groups? Presumably there is no entry for this group when you run "getent group"? Focus on just getting that working and go from there.

sunnysthakur · 09-18-2012, 07:02 AM

When i use base DN on client machine as ou=ftp,ou=Groups,dc=bebolabs,dc=net then it shows groups using getent group but not user list in passwd
and when i use ou=ftp,ou=users,dc=bebolabs,dc=net then its shows user list using getent passwd but not group.

Is this mean that i have to use multiple base DN on client side, if yes then how can i use this.

acid_kewpie · 09-18-2012, 07:18 AM

right so presuming your configuring in nss_ldap you'll have nss_ldap_group and nss_ldap_passwd attributes to set to each DN respectively.

sunnysthakur · 09-18-2012, 02:33 PM

Acid,

Currently i am using pam_ldap instead of nss_ldap.
As per you, to call multiple Base DN i need to configure nss_ldap with LDAP server instead of pam_ldap

acid_kewpie · 09-18-2012, 02:35 PM

pam and nss work independently. pam does the authentication, nss does the user information lookups.