LinuxQuestions.org - [SOLVED] LDAP Groups not useable

- Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)

- - LDAP Groups not useable (https://www.linuxquestions.org/questions/linux-server-73/ldap-groups-not-useable-687790/)

Hosferatu

12-02-2008 01:00 PM

LDAP Groups not useable

I am running fedorads on redhat enterprise 5. I want to have a directory accessible by certain ldap users. I made a group in fedorads and added the members but i get the error "group doesn't exist" when trying to make a directory owned by that group. How do i get the machine to read ldap group entries as well as users? or am i going about this the wrong way?

acid_kewpie

12-02-2008 01:24 PM

if the user side is fine, then there's presumably just a missing option in /etc/nsswitch.conf to use ldap for groups as well as passwd. failing that then I would expect you're not looking for the right attributes in ldap to identify a group. does "getent group" show you anything interesting?

Hosferatu

12-02-2008 01:41 PM

under group in nsswitch.conf it shows "files ldap". When i use "getent group" it shows all the local system groups but not the ones on the ldap server.

acid_kewpie

12-02-2008 03:02 PM

ok, and getent passwd does show all the ldap users? show us your ldap.conf

Hosferatu

12-02-2008 04:14 PM

getent passwd does show all users.

Here is the uncommented version of ldap.conf:

Code:

base dc=elisa,dc=com

timelimit 120

bind_timelimit 120

idle_timelimit 3600

uri ldap://192.168.0.4/

ssl no

tls_cacertdir /etc/openldap/cacerts

pam_password md5

acid_kewpie

12-02-2008 04:24 PM

what does an ldapsearch of your groups look like? you are using posixgroup objectClass's right?

Hosferatu

12-04-2008 10:26 AM

I didn't see any posix options when i made the group with the gui. So i assume it isn't a posix group. how would i go about creating one or giving the current one posix attributes?

acid_kewpie

12-04-2008 11:39 AM

my ldap isn't as hot as it needs to be, but ldap groups aren't unix groups. with an ldap group, the members of it will have a number of memberOf attributes listing those groups. this would equate to the "other" unix groups. what you want is an objecttype of "posixGroup", as opposed to "user" or "posixUser". This group then becomes associated as the main group of the user, with it's own gid etc.

Hosferatu

12-08-2008 11:45 AM

I have created a posixgroup that now shows up as a group. However, the members of the group still have no access to group directories. The directories permissions are set for group read, write and execute, but when trying to view the contents it still says permission denied. when i use "getent group" it shows the group with the complete list of memberids. I'm not sure what i should do now to get the permissions working correctly.

acid_kewpie

12-08-2008 01:01 PM

do both ls -l and id <username> show the groups?

Hosferatu

12-08-2008 01:16 PM

ls -l shows the correct group, but id USERNAME shows that the user is not part of the group.

acid_kewpie

12-08-2008 01:21 PM

do you have local and remote group names with different gid's maybe? the id command would certainly pull it back to a genuine point of reference though. you might want to check what ldap activity is going down during a call like that with tcpdump or wireshark.

Hosferatu

05-31-2011 05:23 PM

Solved it. In fedora-ds (now 389-ds) you need to make an ldap group, then click the advanced button and add the class posixgroup to the group object. Group permissions work properly now.

All times are GMT -5. The time now is 06:53 AM.