[plug] Strange LDAP issues

Craig Ringer craig at postnewspapers.com.au
Tue May 31 15:17:47 WST 2005 

On Tue, 2005-05-31 at 10:21 +0800, Timothy White wrote:
> Ok, So it appears that I have some of the LDAP working now.
> I can login as a user in LDAP.
> The problem was here in the pam_ldap.conf file
> ---
> # The distinguished name to bind to the server with
> # if the effective user ID is root. Password is
> # stored in /etc/ldap.secret (mode 600)
> rootbinddn cn=admin,dc=white,dc=lan
> ---
> I needed to comment out the rootbinddn part.

Er... I did tell you you didn't really need rootbinddn set when we were
setting things up; it's only really important if you want the PAM
password tools to work. If you do set it, you must also have the secret
file containing the correct bind password.

I could've sworn we avoided setting it.

> Ok, now I have a few more problems. Firstly groups.
> family is an LDAP group. dwhite and rwhite are ldap users, tim is a
> flat file user.
> $ getent group family
> family:x:10000:
> /home$ vdir
> ...
> drwxr-xr-x   2 dwhite   10000  4096 2005-05-31 10:17 dwhite
> drwxr-xr-x  15 rwhite   10000  4096 2005-05-30 20:19 rwhite
> drwxr-xr-x  31 tim    tim      4096 2005-05-31 10:16 tim
> dwhite at camiroi:~$ groups
> id: cannot find name for group ID 10000
> 10000
> ---
> As you can see group names aren't being resolved even though nss sees
> it fine afaiks.

That's very interesting, and I haven't seen that before. What's the
output of:

ldapsearch -x '(objectClass=posixGroup)'

?

What's odd is that `id' appears to use nss, just like getent does. I'd
really expect it to see the group if it shows up OK in `getent'. Weird.

> Also I'd like away to add ldap users to standard unix groups. For
> example tim is in  'dialout cdrom floppy audio dip video scanner' and
> I'd like all users to be in that group. Is there an easy way to do
> this without adding each user?

Just list the LDAP users in /etc/group under the appropriate groups. Be
aware that this could confuse poorly behaved tools that don't use
nss/PAM, and could also confuse NSS/PAM tools if LDAP is down.

-- 
Craig Ringer

More information about the plug mailing list