LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 12-02-2008, 01:00 PM   #1
Hosferatu
Member
 
Registered: Sep 2007
Posts: 32

Rep: Reputation: 15
LDAP Groups not useable


I am running fedorads on redhat enterprise 5. I want to have a directory accessible by certain ldap users. I made a group in fedorads and added the members but i get the error "group doesn't exist" when trying to make a directory owned by that group. How do i get the machine to read ldap group entries as well as users? or am i going about this the wrong way?
 
Old 12-02-2008, 01:24 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981
if the user side is fine, then there's presumably just a missing option in /etc/nsswitch.conf to use ldap for groups as well as passwd. failing that then I would expect you're not looking for the right attributes in ldap to identify a group. does "getent group" show you anything interesting?
 
Old 12-02-2008, 01:41 PM   #3
Hosferatu
Member
 
Registered: Sep 2007
Posts: 32

Original Poster
Rep: Reputation: 15
under group in nsswitch.conf it shows "files ldap". When i use "getent group" it shows all the local system groups but not the ones on the ldap server.
 
Old 12-02-2008, 03:02 PM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981
ok, and getent passwd does show all the ldap users? show us your ldap.conf
 
Old 12-02-2008, 04:14 PM   #5
Hosferatu
Member
 
Registered: Sep 2007
Posts: 32

Original Poster
Rep: Reputation: 15
getent passwd does show all users.

Here is the uncommented version of ldap.conf:
Code:
base dc=elisa,dc=com
timelimit 120
bind_timelimit 120
idle_timelimit 3600
uri ldap://192.168.0.4/
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5
 
Old 12-02-2008, 04:24 PM   #6
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981
what does an ldapsearch of your groups look like? you are using posixgroup objectClass's right?
 
Old 12-04-2008, 10:26 AM   #7
Hosferatu
Member
 
Registered: Sep 2007
Posts: 32

Original Poster
Rep: Reputation: 15
I didn't see any posix options when i made the group with the gui. So i assume it isn't a posix group. how would i go about creating one or giving the current one posix attributes?
 
Old 12-04-2008, 11:39 AM   #8
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981
my ldap isn't as hot as it needs to be, but ldap groups aren't unix groups. with an ldap group, the members of it will have a number of memberOf attributes listing those groups. this would equate to the "other" unix groups. what you want is an objecttype of "posixGroup", as opposed to "user" or "posixUser". This group then becomes associated as the main group of the user, with it's own gid etc.
 
Old 12-08-2008, 11:45 AM   #9
Hosferatu
Member
 
Registered: Sep 2007
Posts: 32

Original Poster
Rep: Reputation: 15
I have created a posixgroup that now shows up as a group. However, the members of the group still have no access to group directories. The directories permissions are set for group read, write and execute, but when trying to view the contents it still says permission denied. when i use "getent group" it shows the group with the complete list of memberids. I'm not sure what i should do now to get the permissions working correctly.
 
Old 12-08-2008, 01:01 PM   #10
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981
do both ls -l and id <username> show the groups?
 
Old 12-08-2008, 01:16 PM   #11
Hosferatu
Member
 
Registered: Sep 2007
Posts: 32

Original Poster
Rep: Reputation: 15
ls -l shows the correct group, but id USERNAME shows that the user is not part of the group.
 
Old 12-08-2008, 01:21 PM   #12
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981
do you have local and remote group names with different gid's maybe? the id command would certainly pull it back to a genuine point of reference though. you might want to check what ldap activity is going down during a call like that with tcpdump or wireshark.

Last edited by acid_kewpie; 12-08-2008 at 01:22 PM.
 
Old 05-31-2011, 05:23 PM   #13
Hosferatu
Member
 
Registered: Sep 2007
Posts: 32

Original Poster
Rep: Reputation: 15
Solved it. In fedora-ds (now 389-ds) you need to make an ldap group, then click the advanced button and add the class posixgroup to the group object. Group permissions work properly now.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
webmin open ldap users and groups talkinggoat Linux - Software 0 01-24-2007 12:53 PM
can't authenticate to ldap from apache using groups rem1986 Linux - Server 0 09-01-2006 11:56 AM
storing groups on ldap server Clemente Mandriva 0 12-30-2003 08:42 AM
LDAP Groups u4113072 Linux - Software 0 10-31-2002 07:30 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 04:43 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration