nss_ldap: id shows only primary group

R

reinhard

Hello!

FreeBSD 10.0-RELEASE, nss_ldap-1.265_9
/etc/nsswitch.conf
Code: 
group: files ldap
hosts: files dns
networks: files
passwd: files ldap
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files

/usr/local/etc/ldap.conf
/usr/local/etc/nss_ldap.conf
Code: 
base dc=helmi,dc=ru
uri ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://127.0.0.1/ 
ldap_version 3
nss_base_group  ou=Groups,dc=helmi,dc=ru?one
nss_base_passwd ou=People,dc=helmi,dc=ru?one
nss_base_passwd ou=Computers,dc=helmi,dc=ru?one
nss_base_shadow ou=People,dc=helmi,dc=ru?one
port 389
scope one
timelimit 30
bind_policy soft
nss_connect_policy persist
idle_timelimit 3600


/usr/local/etc/openldap/slapd.conf
Code: 
include		/usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/misc.schema
include         /usr/local/etc/openldap/schema/nis.schema
include         /usr/local/etc/openldap/schema/openldap.schema
include         /usr/local/etc/openldap/schema/samba.schema
pidfile		/var/run/openldap/slapd.pid
argsfile	/var/run/openldap/slapd.args
modulepath	/usr/local/libexec/openldap
moduleload	back_bdb
database	bdb
suffix          "dc=helmi,dc=ru"
rootdn          "cn=Manager,dc=helmi,dc=ru"
rootpw          secret
directory	/var/db/openldap-data
index	objectClass	eq
index   cn              pres,sub,eq
index   sn              pres,sub,eq
index   uid             pres,sub,eq
index   displayName     pres,sub,eq
index   uidNumber               eq
index   gidNumber               eq
index   memberUID               eq
index   sambaSID                eq
index   sambaPrimaryGroupSID    eq
index   sambaDomainName         eq
index   default                 sub
syncrepl rid=000 
  provider=ldap://192.168.1.210
  type=refreshAndPersist
  retry="5 5 300 +" 
  searchbase="dc=helmi,dc=ru"
  attrs="*,+"
  bindmethod=simple
  binddn="uid=replicator,ou=People,dc=helmi,dc=ru"
  credentials=secret

getent group works ok:
Code: 
root@orkgw:/usr/local/etc # getent group bit
bit:*:1007:bit5,bit7,evil,bbs,org3,bit3,bit9,bit11,bit2,bit4,org2,bit8,bit2a,bit1,bit6,bit40,smiler,kta,bit12,alex,bit20,bit10,van,bitdirek

but id only shows primary group:
Code: 
root@orkgw:/usr/local/etc # id bit5
uid=1006(bit5) gid=1002(helmi) groups=1002(helmi)

I've found http://lists.freebsd.org/pipermail/freebsd-stable/2010-February/055424.html but uncommenting line #nss_map_attribute
uniqueMember member' does not help me. On FreeBSD 9.1-RELEASE with the same LDAP databse (master replica) id works OK.
Any suggestions?
 
Did you check for the presence of a local account named @bit5, or a local group named @bit? The nsswitch.conf says to look there first. It may have been accidentally created?
 
Last edited by a moderator:
SirDice said:
Did you check for the presence of a local account named @bit5, or a local group named @bit? The nsswitch.conf says to look there first. It may have been accidentally created?
Click to expand...

There is no @bit5 account and no @bit group in local files:
/etc/passwd
Code: 
root:*:0:0:Charlie &:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin
news:*:8:8:News Subsystem:/:/usr/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
unbound:*:59:59:Unbound DNS Resolver:/var/unbound:/usr/sbin/nologin
proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
auditdistd:*:78:77:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologin
www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
alex:*:1001:1001:Alex:/home/alex:/usr/local/bin/bash
ldap:*:389:389:OpenLDAP Server:/nonexistent:/usr/sbin/nologin

/etc/group
Code: 
wheel:*:0:root,alex
daemon:*:1:
kmem:*:2:
sys:*:3:
tty:*:4:
operator:*:5:root
mail:*:6:
bin:*:7:
news:*:8:
man:*:9:
games:*:13:
ftp:*:14:
staff:*:20:
sshd:*:22:
smmsp:*:25:
mailnull:*:26:
guest:*:31:
bind:*:53:
unbound:*:59:
proxy:*:62:
authpf:*:63:
_pflogd:*:64:
_dhcp:*:65:
uucp:*:66:
dialer:*:68:
network:*:69:
audit:*:77:
www:*:80:
hast:*:845:
nogroup:*:65533:
nobody:*:65534:
alex:*:1001:
ldap:*:389:
 
Last edited by a moderator:
You must log in or register to reply here.
Back
Top