Linux - Server This forum is for the discussion of Linux Software used in a server related context. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
12-02-2008, 02:00 PM
|
#1
|
Member
Registered: Sep 2007
Posts: 32
Rep:
|
LDAP Groups not useable
I am running fedorads on redhat enterprise 5. I want to have a directory accessible by certain ldap users. I made a group in fedorads and added the members but i get the error "group doesn't exist" when trying to make a directory owned by that group. How do i get the machine to read ldap group entries as well as users? or am i going about this the wrong way?
|
|
|
12-02-2008, 02:24 PM
|
#2
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
if the user side is fine, then there's presumably just a missing option in /etc/nsswitch.conf to use ldap for groups as well as passwd. failing that then I would expect you're not looking for the right attributes in ldap to identify a group. does "getent group" show you anything interesting?
|
|
|
12-02-2008, 02:41 PM
|
#3
|
Member
Registered: Sep 2007
Posts: 32
Original Poster
Rep:
|
under group in nsswitch.conf it shows "files ldap". When i use "getent group" it shows all the local system groups but not the ones on the ldap server.
|
|
|
12-02-2008, 04:02 PM
|
#4
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
ok, and getent passwd does show all the ldap users? show us your ldap.conf
|
|
|
12-02-2008, 05:14 PM
|
#5
|
Member
Registered: Sep 2007
Posts: 32
Original Poster
Rep:
|
getent passwd does show all users.
Here is the uncommented version of ldap.conf:
Code:
base dc=elisa,dc=com
timelimit 120
bind_timelimit 120
idle_timelimit 3600
uri ldap://192.168.0.4/
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5
|
|
|
12-02-2008, 05:24 PM
|
#6
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
what does an ldapsearch of your groups look like? you are using posixgroup objectClass's right?
|
|
|
12-04-2008, 11:26 AM
|
#7
|
Member
Registered: Sep 2007
Posts: 32
Original Poster
Rep:
|
I didn't see any posix options when i made the group with the gui. So i assume it isn't a posix group. how would i go about creating one or giving the current one posix attributes?
|
|
|
12-04-2008, 12:39 PM
|
#8
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
my ldap isn't as hot as it needs to be, but ldap groups aren't unix groups. with an ldap group, the members of it will have a number of memberOf attributes listing those groups. this would equate to the "other" unix groups. what you want is an objecttype of "posixGroup", as opposed to "user" or "posixUser". This group then becomes associated as the main group of the user, with it's own gid etc.
|
|
|
12-08-2008, 12:45 PM
|
#9
|
Member
Registered: Sep 2007
Posts: 32
Original Poster
Rep:
|
I have created a posixgroup that now shows up as a group. However, the members of the group still have no access to group directories. The directories permissions are set for group read, write and execute, but when trying to view the contents it still says permission denied. when i use "getent group" it shows the group with the complete list of memberids. I'm not sure what i should do now to get the permissions working correctly.
|
|
|
12-08-2008, 02:01 PM
|
#10
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
do both ls -l and id <username> show the groups?
|
|
|
12-08-2008, 02:16 PM
|
#11
|
Member
Registered: Sep 2007
Posts: 32
Original Poster
Rep:
|
ls -l shows the correct group, but id USERNAME shows that the user is not part of the group.
|
|
|
12-08-2008, 02:21 PM
|
#12
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
do you have local and remote group names with different gid's maybe? the id command would certainly pull it back to a genuine point of reference though. you might want to check what ldap activity is going down during a call like that with tcpdump or wireshark.
Last edited by acid_kewpie; 12-08-2008 at 02:22 PM.
|
|
|
05-31-2011, 06:23 PM
|
#13
|
Member
Registered: Sep 2007
Posts: 32
Original Poster
Rep:
|
Solved it. In fedora-ds (now 389-ds) you need to make an ldap group, then click the advanced button and add the class posixgroup to the group object. Group permissions work properly now.
|
|
|
All times are GMT -5. The time now is 03:32 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|