RV: Unix id command and Openldap

Hi

 

Does the id command works with a system using OPENLDAP authentication ?

I have implemented a server with openldap 2.3 and several clients use this system to authenticate

users, and works fine except that when I do a "id user" on a client  it only gives me the information of the primary

group which the user belongs to and not of the suplementary groups that he is also a member of in the LDAP server...

any ideas??

im sending you the /etc/ldap.conf and /etc/nsswitch.conf of the client.

thanks for your help



Saludos,

Oskar Kossuth
Administrador UNIX
ANTEL Telecomunicaciones


-----Mensaje original-----
De: openldap-technical-bounces+okossuth=antel.com.uy@... [mailto:openldap-technical-bounces+okossuth=antel.com.uy@...] En nombre de Andrew Findlay
Enviado el: Wednesday, December 17, 2008 2:00 PM
Para: Kossuth Espinosa, Oskar
CC: openldap-technical@...; claus.kick@...
Asunto: Re: Unix id command and Openldap

On Wed, Dec 17, 2008 at 02:20:40PM -0200, okossuth@... wrote:

> My problem is that I only see the primary group without the
> supplementary ones, whenever the groups are stored in the LDAP if the
> user is in the ldap server.

This sounds more like an NSS problem than a purely OpenLDAP one,
so you may get more help by posting to nssldap@....

Please post the 'passwd' and 'group' lines from /etc/nsswitch.conf
and also the /etc/ldap.conf file (with passwords obscured).

It would also be worth running slapd at debug level 768 and posting
what gets logged when you run the 'id' command.

Andrew
--
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------

El   presente  correo   y   cualquier    posible   archivo   adjunto  está
dirigido  únicamente  al destinatario  del  mensaje y contiene información
que  puede ser  confidencial.  Si  Ud. no es el destinatario  correcto por
favor notifique al remitente respondiendo  anexando este mensaje y elimine
inmediatamente   el e-mail y los posibles archivos adjuntos al mismo de su
sistema. Está  prohibida  cualquier utilización,  difusión o copia de este
e-mail por   cualquier  persona  o  entidad  que  no  sean las específicas
destinatarias del  mensaje.  ANTEL  no acepta  ninguna responsabilidad con
respecto  a cualquier  comunicación  que  haya sido  emitida  incumpliendo
nuestra Política de Seguridad de la Información.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
This e-mail and any attachment is confidential and is  intended solely for
the addressee(s).  If you are not  intended  recipient  please  inform the
sender immediately,  answering  this  e-mail and  delete it as well as the
attached files. Any use, circulation or copy of this e-mail by  any person
or entity that is not the specific  addressee(s)  is prohibited.  ANTEL is
not  responsible  for  any  communication  emitted  without respecting our
Information Security Policy.

the "id" command works fine on our FreeBSD 6 and CentOS 4.x/5.x  
servers.  Make sure your /etc/nsswitch.conf says "passwd: files ldap"  
and "group: files ldap", or else id won't be searching ldap for ids  
and groups.

--

Patrick Wolfe
ADP Employease
770-325-7724



On Dec 22, 2008, at 2:15 PM, <okossuth@...> wrote:

of course I have done that..
any other ideas?

Saludos,

Oskar Kossuth
Administrador UNIX
ANTEL Telecomunicaciones


-----Mensaje original-----
De: owner-nssldap@... [mailto:owner-nssldap@...] En nombre de Patrick Wolfe
Enviado el: Monday, December 22, 2008 5:04 PM
Para: Kossuth Espinosa, Oskar
CC: nssldap@...
Asunto: Re: [nssldap] RV: Unix id command and Openldap

the "id" command works fine on our FreeBSD 6 and CentOS 4.x/5.x  
servers.  Make sure your /etc/nsswitch.conf says "passwd: files ldap"  
and "group: files ldap", or else id won't be searching ldap for ids  
and groups.

--

Patrick Wolfe
ADP Employease
770-325-7724



On Dec 22, 2008, at 2:15 PM, <okossuth@...> wrote:

perhaps your installed "id" command doesn't support the nsswitch.conf  
file and it's associated library.  You might need to recompile it.  
What distro and version of UNIX are you using?


--

Patrick Wolfe
ADP Employease
770-325-7724



On Dec 22, 2008, at 3:14 PM, <okossuth@...> wrote:

I'm using suse linux enterprise server 10 SP1


Saludos,

Oskar Kossuth
Administrador UNIX
ANTEL Telecomunicaciones


-----Mensaje original-----
De: Patrick Wolfe [mailto:pwolfe@...]
Enviado el: Monday, December 22, 2008 5:23 PM
Para: Kossuth Espinosa, Oskar
CC: pwolfe@...; nssldap@...
Asunto: Re: [nssldap] RV: Unix id command and Openldap

perhaps your installed "id" command doesn't support the nsswitch.conf  
file and it's associated library.  You might need to recompile it.  
What distro and version of UNIX are you using?


--

Patrick Wolfe
ADP Employease
770-325-7724



On Dec 22, 2008, at 3:14 PM, <okossuth@...> wrote:

I have one SLES 10 SP2 VM configured with ldap authentication, and the  
"id" command works just fine.  My /etc/nsswitch.conf "passwd" and  
"group" lines are set to "compat", not "files ldap".


--

Patrick Wolfe
ADP Employease
770-325-7724



On Dec 22, 2008, at 3:47 PM, <okossuth@...> wrote:

Oh, and the last line of /etc/passwd is:

+::::::

and the last line of /etc/group is:

+:::


--

Patrick Wolfe
ADP Employease
770-325-7724



On Dec 22, 2008, at 3:57 PM, Patrick Wolfe wrote:

I normally have to use "id -a <username>" in order to get the
supplementary groups in the output (Debian Linux).

  Andy

On Mon, 22 Dec 2008, Patrick Wolfe wrote:

On Mon, 22 Dec 2008, Patrick Wolfe wrote:

> I have one SLES 10 SP2 VM configured with ldap authentication, and the "id"
> command works just fine.  My /etc/nsswitch.conf "passwd" and "group" lines
> are set to "compat", not "files ldap".

If you are using "compat", then the "+:..." lines in /etc/passwd and
/etc/group are appropriate (they are what signal the lookup in LDAP for
the compat method). If you're using "files ldap" then you don't need the
"+..." lines.

For the OP, what do "getent passwd" and "getent group" return?

Steve
----------------------------------------------------------------------------
Steve Thompson                 E-mail:      smt AT vgersoft DOT com
Voyager Software LLC           Web:         http://www DOT vgersoft DOT com
39 Smugglers Path              VSW Support: support AT vgersoft DOT com
Ithaca, NY 14850
   "186,300 miles per second: it's not just a good idea, it's the law"
----------------------------------------------------------------------------

Hi guys

getent passwd and getent group work fine, I get the list of users and groups of the ldap server. getent group only shows me ldap groups without users belonging to those groups
like  the group mysql defined only in the ldap server:

mysql:*:4620:

My only problem is getting the secondary groups via id or groups.
Starting the ldap server with debugging I saw a possible cause:

conn=50 op=0 BIND dn="" method=128
conn=50 op=0 RESULT tag=97 err=0 text=
conn=50 op=1 SRCH base="ou=Grupos,ou=Teleinformatica,dc=vmlx-ldapauth-test,dc=in.iantel.com.uy" scope=2 deref=0 filter="(&(objectClass=posixGroup))"
conn=50 op=1 SRCH attr=cn userPassword memberUid uniqueMember gidNumber
conn=50 op=1 ENTRY dn="cn=jbossgrp,ou=grupos,ou=teleinformatica,dc=vmlx-ldapauth-test,dc=in.iantel.com.uy"

it seems that when i do a id -a jbosstest ( a user that is defined in the ldap server)
it searchs the ou=Grupos where the groups are defined but it only uses the
filter  ="(&(objectClass=posixGroup))"..
is that the problem???

Saludos,

Oskar Kossuth
Administrador UNIX
ANTEL Telecomunicaciones


-----Mensaje original-----
De: owner-nssldap@... [mailto:owner-nssldap@...] En nombre de Steve Thompson
Enviado el: Monday, December 22, 2008 7:39 PM
Para: nssldap@...
Asunto: Re: [nssldap] RV: Unix id command and Openldap

On Mon, 22 Dec 2008, Patrick Wolfe wrote:

> I have one SLES 10 SP2 VM configured with ldap authentication, and the "id"
> command works just fine.  My /etc/nsswitch.conf "passwd" and "group" lines
> are set to "compat", not "files ldap".

If you are using "compat", then the "+:..." lines in /etc/passwd and
/etc/group are appropriate (they are what signal the lookup in LDAP for
the compat method). If you're using "files ldap" then you don't need the
"+..." lines.

For the OP, what do "getent passwd" and "getent group" return?

Steve
----------------------------------------------------------------------------
Steve Thompson                 E-mail:      smt AT vgersoft DOT com
Voyager Software LLC           Web:         http://www DOT vgersoft DOT com
39 Smugglers Path              VSW Support: support AT vgersoft DOT com
Ithaca, NY 14850
   "186,300 miles per second: it's not just a good idea, it's the law"
----------------------------------------------------------------------------

El   presente  correo   y   cualquier    posible   archivo   adjunto  está
dirigido  únicamente  al destinatario  del  mensaje y contiene información
que  puede ser  confidencial.  Si  Ud. no es el destinatario  correcto por
favor notifique al remitente respondiendo  anexando este mensaje y elimine
inmediatamente   el e-mail y los posibles archivos adjuntos al mismo de su
sistema. Está  prohibida  cualquier utilización,  difusión o copia de este
e-mail por   cualquier  persona  o  entidad  que  no  sean las específicas
destinatarias del  mensaje.  ANTEL  no acepta  ninguna responsabilidad con
respecto  a cualquier  comunicación  que  haya sido  emitida  incumpliendo
nuestra Política de Seguridad de la Información.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
This e-mail and any attachment is confidential and is  intended solely for
the addressee(s).  If you are not  intended  recipient  please  inform the
sender immediately,  answering  this  e-mail and  delete it as well as the
attached files. Any use, circulation or copy of this e-mail by  any person
or entity that is not the specific  addressee(s)  is prohibited.  ANTEL is
not  responsible  for  any  communication  emitted  without respecting our
Information Security Policy.

On Tue, 23 Dec 2008, okossuth@... wrote:

Which objectclass are you expecting it to use?  posixGroup is the standard
objectclass for these groups.

  Andy

When I set my SLES 10 SP2 VM to use "passwd: files ldap" and "group:  
files ldap" and delete the "+:..." lines from /etc/passwd and /etc/
group, the id command fails to do ldap lookups, just like the original  
poster.

getent passwd and getent group return the entire local + ldap  
listings.  Looks like the "id" command isn't nsswitch.conf aware on  
SLES.

--

Patrick Wolfe
ADP Employease
770-325-7724



On Dec 22, 2008, at 5:38 PM, Steve Thompson wrote:

On my SLES 10 SP2 server, the 'id' command is using NSS. I validated it via the following command:
strace -f id 2>&1 | grep nss

You do have the nss_ldap package installed, right?

-- Jon Miller

yep

never mind.  I found my problem.  needed to turn off NSCD  (service nscd stop).  Now the id and strace command work as expected.

I'm running SLES10 SP1 and I get nothing too...

vmlx-lamp-intg:/home/okossuth # strace -f id 2>&1 | grep nss
vmlx-lamp-intg:/home/okossuth #

what is going on??

Saludos,

Oskar Kossuth
Administrador UNIX
ANTEL Telecomunicaciones


-----Mensaje original-----
De: owner-nssldap@... [mailto:owner-nssldap@...] En nombre de Patrick Wolfe
Enviado el: Tuesday, December 23, 2008 4:07 PM
Para: Jon Miller
CC: Patrick Wolfe; Steve Thompson; nssldap@...
Asunto: Re: [nssldap] RV: Unix id command and Openldap

yep

susetest1:~ # rpm -qa nss_ldap
nss_ldap-259-4.3


When I run the strace command you mentioned, I get nothing:

susetest1:~ # strace -f id 2>&1 | grep nss
susetest1:~ #

Are you running SLES 10?


--

Patrick Wolfe
ADP Employease
770-325-7724



On Dec 23, 2008, at 1:57 PM, Jon Miller wrote:


        On my SLES 10 SP2 server, the 'id' command is using NSS. I validated it via the following command:
        strace -f id 2>&1 | grep nss
       
        You do have the nss_ldap package installed, right?
       
        -- Jon Miller
       
       
        On Tue, Dec 23, 2008 at 1:12 PM, Patrick Wolfe <pwolfe@...> wrote:
       

                When I set my SLES 10 SP2 VM to use "passwd: files ldap" and "group: files ldap" and delete the "+:..." lines from /etc/passwd and /etc/group, the id command fails to do ldap lookups, just like the original poster.
               
                getent passwd and getent group return the entire local + ldap listings.  Looks like the "id" command isn't nsswitch.conf aware on SLES.


                --
               
                Patrick Wolfe
                ADP Employease
                770-325-7724
               
               
               
               
                On Dec 22, 2008, at 5:38 PM, Steve Thompson wrote:
               
               

                        On Mon, 22 Dec 2008, Patrick Wolfe wrote:
                       
                       

                                I have one SLES 10 SP2 VM configured with ldap authentication, and the "id" command works just fine.  My /etc/nsswitch.conf "passwd" and "group" lines are set to "compat", not "files ldap".
                               


                        If you are using "compat", then the "+:..." lines in /etc/passwd and /etc/group are appropriate (they are what signal the lookup in LDAP for the compat method). If you're using "files ldap" then you don't need the "+..." lines.
                       
                        For the OP, what do "getent passwd" and "getent group" return?
                       
                        Steve
                        ----------------------------------------------------------------------------
                        Steve Thompson                 E-mail:      smt AT vgersoft DOT com
                        Voyager Software LLC           Web:         http://www DOT vgersoft DOT com
                        39 Smugglers Path              VSW Support: support AT vgersoft DOT com
                        Ithaca, NY 14850
                         "186,300 miles per second: it's not just a good idea, it's the law"
                        ----------------------------------------------------------------------------
                       
                       
                       





El   presente  correo   y   cualquier    posible   archivo   adjunto  está
dirigido  únicamente  al destinatario  del  mensaje y contiene información
que  puede ser  confidencial.  Si  Ud. no es el destinatario  correcto por
favor notifique al remitente respondiendo  anexando este mensaje y elimine
inmediatamente   el e-mail y los posibles archivos adjuntos al mismo de su
sistema. Está  prohibida  cualquier utilización,  difusión o copia de este
e-mail por   cualquier  persona  o  entidad  que  no  sean las específicas
destinatarias del  mensaje.  ANTEL  no acepta  ninguna responsabilidad con
respecto  a cualquier  comunicación  que  haya sido  emitida  incumpliendo
nuestra Política de Seguridad de la Información.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
This e-mail and any attachment is confidential and is  intended solely for
the addressee(s).  If you are not  intended  recipient  please  inform the
sender immediately,  answering  this  e-mail and  delete it as well as the
attached files. Any use, circulation or copy of this e-mail by  any person
or entity that is not the specific  addressee(s)  is prohibited.  ANTEL is
not  responsible  for  any  communication  emitted  without respecting our
Information Security Policy.

Me too hehe, I switched off nscd and I got

vmlx-lamp-intg:/home/okossuth # strace -f id 2>&1 | grep nss
open("/etc/nsswitch.conf", O_RDONLY)    = 3
read(3, "#\n# /etc/nsswitch.conf\n#\n# An ex"..., 4096) = 1264
open("/lib/libnss_ldap.so.2", O_RDONLY) = 3
read(3, "Name\n#nss_map_attribute gidNumbe"..., 4096) = 1902
open("/lib/libnss_files.so.2", O_RDONLY) = 3
open("/lib/libnss_dns.so.2", O_RDONLY)  = 3
vmlx-lamp-intg:/home/okossuth #

still id does not show any secondary groups:

vmlx-lamp-intg:/home/okossuth # id jbosstest
uid=7000(jbosstest) gid=7002(ldaptest) groups=7002(ldaptest)
vmlx-lamp-intg:/home/okossuth #

Saludos,

Oskar Kossuth
Administrador UNIX
ANTEL Telecomunicaciones


-----Mensaje original-----
De: owner-nssldap@... [mailto:owner-nssldap@...] En nombre de Patrick Wolfe
Enviado el: Tuesday, December 23, 2008 4:10 PM
Para: Patrick Wolfe
CC: Jon Miller; Steve Thompson; nssldap@...
Asunto: Re: [nssldap] RV: Unix id command and Openldap

never mind.  I found my problem.  needed to turn off NSCD  (service nscd stop).  Now the id and strace command work as expected.


--

Patrick Wolfe
ADP Employease
770-325-7724



On Dec 23, 2008, at 2:06 PM, Patrick Wolfe wrote:


        yep

        susetest1:~ # rpm -qa nss_ldap
        nss_ldap-259-4.3


        When I run the strace command you mentioned, I get nothing:

        susetest1:~ # strace -f id 2>&1 | grep nss
        susetest1:~ #

        Are you running SLES 10?
       
       
       
       
       

        --

        Patrick Wolfe
        ADP Employease
        770-325-7724



        On Dec 23, 2008, at 1:57 PM, Jon Miller wrote:


                On my SLES 10 SP2 server, the 'id' command is using NSS. I validated it via the following command:
                strace -f id 2>&1 | grep nss
               
                You do have the nss_ldap package installed, right?
               
                -- Jon Miller
               
               
                On Tue, Dec 23, 2008 at 1:12 PM, Patrick Wolfe <pwolfe@...> wrote:
               

                        When I set my SLES 10 SP2 VM to use "passwd: files ldap" and "group: files ldap" and delete the "+:..." lines from /etc/passwd and /etc/group, the id command fails to do ldap lookups, just like the original poster.
                       
                        getent passwd and getent group return the entire local + ldap listings.  Looks like the "id" command isn't nsswitch.conf aware on SLES.


                        --
                       
                        Patrick Wolfe
                        ADP Employease
                        770-325-7724
                       
                       
                       
                       
                        On Dec 22, 2008, at 5:38 PM, Steve Thompson wrote:
                       
                       

                                On Mon, 22 Dec 2008, Patrick Wolfe wrote:
                               
                               

                                        I have one SLES 10 SP2 VM configured with ldap authentication, and the "id" command works just fine.  My /etc/nsswitch.conf "passwd" and "group" lines are set to "compat", not "files ldap".
                                       


                                If you are using "compat", then the "+:..." lines in /etc/passwd and /etc/group are appropriate (they are what signal the lookup in LDAP for the compat method). If you're using "files ldap" then you don't need the "+..." lines.
                               
                                For the OP, what do "getent passwd" and "getent group" return?
                               
                                Steve
                                ----------------------------------------------------------------------------
                                Steve Thompson                 E-mail:      smt AT vgersoft DOT com
                                Voyager Software LLC           Web:         http://www DOT vgersoft DOT com
                                39 Smugglers Path              VSW Support: support AT vgersoft DOT com
                                Ithaca, NY 14850
                                 "186,300 miles per second: it's not just a good idea, it's the law"
                                ----------------------------------------------------------------------------
                               
                               
                               






El   presente  correo   y   cualquier    posible   archivo   adjunto  está
dirigido  únicamente  al destinatario  del  mensaje y contiene información
que  puede ser  confidencial.  Si  Ud. no es el destinatario  correcto por
favor notifique al remitente respondiendo  anexando este mensaje y elimine
inmediatamente   el e-mail y los posibles archivos adjuntos al mismo de su
sistema. Está  prohibida  cualquier utilización,  difusión o copia de este
e-mail por   cualquier  persona  o  entidad  que  no  sean las específicas
destinatarias del  mensaje.  ANTEL  no acepta  ninguna responsabilidad con
respecto  a cualquier  comunicación  que  haya sido  emitida  incumpliendo
nuestra Política de Seguridad de la Información.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
This e-mail and any attachment is confidential and is  intended solely for
the addressee(s).  If you are not  intended  recipient  please  inform the
sender immediately,  answering  this  e-mail and  delete it as well as the
attached files. Any use, circulation or copy of this e-mail by  any person
or entity that is not the specific  addressee(s)  is prohibited.  ANTEL is
not  responsible  for  any  communication  emitted  without respecting our
Information Security Policy.

It is not supposed to use a filter like this:

(&(objectclass=posixgroup)(uniquemember=cn=jbosstest, ou=Usuarios,ou=Teleinformatica,dc=vmlx-ldapauth-test,dc=in.iantel.com.uy))

uniquemember or memberUid or member could be used for secondary groups right?

Saludos,

Oskar Kossuth
Administrador UNIX
ANTEL Telecomunicaciones


-----Mensaje original-----
De: Andrew Morgan [mailto:morgan@...]
Enviado el: Tuesday, December 23, 2008 2:26 PM
Para: Kossuth Espinosa, Oskar
CC: smt@...; nssldap@...
Asunto: RE: [nssldap] RV: Unix id command and Openldap

On Tue, 23 Dec 2008, okossuth@... wrote:

Which objectclass are you expecting it to use?  posixGroup is the standard
objectclass for these groups.

  Andy

El   presente  correo   y   cualquier    posible   archivo   adjunto  está
dirigido  únicamente  al destinatario  del  mensaje y contiene información
que  puede ser  confidencial.  Si  Ud. no es el destinatario  correcto por
favor notifique al remitente respondiendo  anexando este mensaje y elimine
inmediatamente   el e-mail y los posibles archivos adjuntos al mismo de su
sistema. Está  prohibida  cualquier utilización,  difusión o copia de este
e-mail por   cualquier  persona  o  entidad  que  no  sean las específicas
destinatarias del  mensaje.  ANTEL  no acepta  ninguna responsabilidad con
respecto  a cualquier  comunicación  que  haya sido  emitida  incumpliendo
nuestra Política de Seguridad de la Información.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
This e-mail and any attachment is confidential and is  intended solely for
the addressee(s).  If you are not  intended  recipient  please  inform the
sender immediately,  answering  this  e-mail and  delete it as well as the
attached files. Any use, circulation or copy of this e-mail by  any person
or entity that is not the specific  addressee(s)  is prohibited.  ANTEL is
not  responsible  for  any  communication  emitted  without respecting our
Information Security Policy.

Hi

Could you send me your client's ldap.conf and your  server's slapd.conf to see
if I have something wrong?

thanks!

Saludos,

Oskar Kossuth
Administrador UNIX
ANTEL Telecomunicaciones

-----Mensaje original-----
De: Patrick Wolfe [mailto:pwolfe@...]
Enviado el: Monday, December 22, 2008 5:57 PM
Para: Kossuth Espinosa, Oskar
CC: pwolfe@...; nssldap@...
Asunto: Re: [nssldap] RV: Unix id command and Openldap

I have one SLES 10 SP2 VM configured with ldap authentication, and the  
"id" command works just fine.  My /etc/nsswitch.conf "passwd" and  
"group" lines are set to "compat", not "files ldap".


--

Patrick Wolfe
ADP Employease
770-325-7724



On Dec 22, 2008, at 3:47 PM, <okossuth@...> wrote:

sure, why not.  Note:  I've removed the passwords from slapd.conf,  
plus we have a couple of other programs integrated (sudo, freeradius  
sendmail) so you might not need the exact same list of schemas.  Also,  
to protect user passwords otherwise sent in cleartext, we use LDAPS  
(SSL) to encrypt the ldap sessions.  We have our own internal SSL CA  
where we issue certificates to our ldap servers.  Our clients only  
trust openldap servers which have certificates that were issued by our  
own CA as an added protection.














On Dec 26, 2008, at 7:30 AM, <okossuth@...> <okossuth@...
 > wrote: