[SOLVED] LDAP Groups not useable

Hosferatu · 12-02-2008, 01:00 PM

I am running fedorads on redhat enterprise 5. I want to have a directory accessible by certain ldap users. I made a group in fedorads and added the members but i get the error "group doesn't exist" when trying to make a directory owned by that group. How do i get the machine to read ldap group entries as well as users? or am i going about this the wrong way?

acid_kewpie · 12-02-2008, 01:24 PM

if the user side is fine, then there's presumably just a missing option in /etc/nsswitch.conf to use ldap for groups as well as passwd. failing that then I would expect you're not looking for the right attributes in ldap to identify a group. does "getent group" show you anything interesting?

Hosferatu · 12-02-2008, 01:41 PM

under group in nsswitch.conf it shows "files ldap". When i use "getent group" it shows all the local system groups but not the ones on the ldap server.

acid_kewpie · 12-02-2008, 03:02 PM

ok, and getent passwd does show all the ldap users? show us your ldap.conf

Hosferatu · 12-02-2008, 04:14 PM

getent passwd does show all users.

Here is the uncommented version of ldap.conf:

Code:

base dc=elisa,dc=com
timelimit 120
bind_timelimit 120
idle_timelimit 3600
uri ldap://192.168.0.4/
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5

acid_kewpie · 12-02-2008, 04:24 PM

what does an ldapsearch of your groups look like? you are using posixgroup objectClass's right?

Hosferatu · 12-04-2008, 10:26 AM

I didn't see any posix options when i made the group with the gui. So i assume it isn't a posix group. how would i go about creating one or giving the current one posix attributes?

acid_kewpie · 12-04-2008, 11:39 AM

my ldap isn't as hot as it needs to be, but ldap groups aren't unix groups. with an ldap group, the members of it will have a number of memberOf attributes listing those groups. this would equate to the "other" unix groups. what you want is an objecttype of "posixGroup", as opposed to "user" or "posixUser". This group then becomes associated as the main group of the user, with it's own gid etc.

Hosferatu · 12-08-2008, 11:45 AM

I have created a posixgroup that now shows up as a group. However, the members of the group still have no access to group directories. The directories permissions are set for group read, write and execute, but when trying to view the contents it still says permission denied. when i use "getent group" it shows the group with the complete list of memberids. I'm not sure what i should do now to get the permissions working correctly.

acid_kewpie · 12-08-2008, 01:01 PM

do both ls -l and id <username> show the groups?

Hosferatu · 12-08-2008, 01:16 PM

ls -l shows the correct group, but id USERNAME shows that the user is not part of the group.

acid_kewpie · 12-08-2008, 01:21 PM

do you have local and remote group names with different gid's maybe? the id command would certainly pull it back to a genuine point of reference though. you might want to check what ldap activity is going down during a call like that with tcpdump or wireshark.

Hosferatu · 05-31-2011, 05:23 PM

Solved it. In fedora-ds (now 389-ds) you need to make an ldap group, then click the advanced button and add the class posixgroup to the group object. Group permissions work properly now.