LDAP
 » 
PADL Lists
 » 
NSS LDAP

uniquemember attribute issue

View: New views
4 Messages — Rating Filter:   Alert me  

uniquemember attribute issue

by AllBlack :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Some parts of this message have been removed. Learn more about Nabble's security policy.

 

Hi,

 

first time poster here and new to everything nssldap.

 

The ldap.conf file on our RHEL boxes have the following entry

 

nss_map_objectclass    posixAccount  User

nss_map_attribute      uid           msSFUName

nss_map_attribute      userPassword  msSFUPassword

nss_map_attribute      homeDirectory msSFUHomeDirectory

 

nss_map_objectclass    posixGroup    Group

nss_map_attribute      cn            msSFUName

nss_map_attribute      uniqueMember  memberUid

 

In  our setup the memberUid in Active directory is not being populated anymore.

Everything is pretty much being automated. When a new user is created in a group in  the nss_base_group object he will not appear when issueing "getent group groupname"

Obviously this is to be expected as the memberUId field is not populated.

 

An LDAP query shows that the user is specified in the Member object.

 

When I change uniqueMember attribute to Member the new user is revealed when issueing "getent group groupname"

However, the few users in the group who still have there memberUid set (the way it used to be done) appear twice.

 

Why is that and how can I get unique results from just the member object?

 

Hope it all makes sense

 

Cheers

 

Re: uniquemember attribute issue

by Dan Am-3 :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Hi Guy,
you need to use "msSFU30posixmember" instead of "memberuid". This does get populated. In this case your nss_ldap needs to be compiled with rfc2307bis support.
Best
Dan

PS: If you plan to migrate to R2 in the not too distant future, watch out, there are migration issues.

2008/3/10, Defryn, Guy <G.P.Defryn@...>:

 

Hi,

 

first time poster here and new to everything nssldap.

 

The ldap.conf file on our RHEL boxes have the following entry

 

nss_map_objectclass    posixAccount  User

nss_map_attribute      uid           msSFUName

nss_map_attribute      userPassword  msSFUPassword

nss_map_attribute      homeDirectory msSFUHomeDirectory

 

nss_map_objectclass    posixGroup    Group

nss_map_attribute      cn            msSFUName

nss_map_attribute      uniqueMember  memberUid

 

In  our setup the memberUid in Active directory is not being populated anymore.

Everything is pretty much being automated. When a new user is created in a group in  the nss_base_group object he will not appear when issueing "getent group groupname"

Obviously this is to be expected as the memberUId field is not populated.

 

An LDAP query shows that the user is specified in the Member object.

 

When I change uniqueMember attribute to Member the new user is revealed when issueing "getent group groupname"

However, the few users in the group who still have there memberUid set (the way it used to be done) appear twice.

 

Why is that and how can I get unique results from just the member object?

 

Hope it all makes sense

 

Cheers

 

Parent Message unknown Re: uniquemember attribute issue

by Dan Am-3 :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Hi Guy,

2008/3/11, Defryn, Guy <G.P.Defryn@...>:

Thank you for the response. I just ran the ADSIedit tool against the group and the attribute is not set in Active Directory.

Well, there you go. How are your users being  created. AFAIR when you use the Users&Group MMC the msSFU30posixmember field gets used.
Not so in R2, R2 goes back to memberUID.


Best
Dan

 

Re: uniquemember attribute issue

by jmcclintock :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Hi Dan, I was wondering if you know the answer to this:

I've worked in Windows AD environments where I've implemented libnss-ldap on the Linux side and MSSFU 3.5 on the Windows side.

At one point when you would use ADUC to modify a group's membership (via the Unix Attributes tab) and added a user (whose already had their Unix stuff enabled via the same tab for the user).  The group would add the attribute 'memberUid' with a value of the person you added.

I downloaded a copy of Windows Server 2003 (demo version from Microsoft 6 month trial), installed MSSFU 3.5 and when I do the steps mentioned above, it worked the same way (a new memberUID attribute was added to the group with the value being the person added.

So to save money, I bought a copy of Windows 2003 Small Business Server.  Installed it, put on MSSFU 3.5 and when I went to add users to my new unix group, memberuid was no longer used, but instead msSFU30PosixMember and puts the full CN of the user in there.

So I thought Small Business Server just did it differently than the Standard version.  So I just ordered a copy of Windows 2003 Server R2 SP2 Standard.  I got it, installed, installed just the NIS server from MSSFU35 to get the extra tab in ADUC and to my disappointment, it did the same thing as Small Business Server by not using memberUID.

Is it possible to use msSFU30PosixMember?  If so, can you send me an example of your ldap.conf/libnss-ldap.conf with the proper mappings to make it work?


Dan Am-3 wrote:
Hi Guy,
you need to use "msSFU30posixmember" instead of "memberuid". This does get
populated. In this case your nss_ldap needs to be compiled with rfc2307bis
support.
Best
Dan

PS: If you plan to migrate to R2 in the not too distant future, watch out,
there are migration issues.

2008/3/10, Defryn, Guy <G.P.Defryn@massey.ac.nz>:
>
>
>
> Hi,
>
>
>
> first time poster here and new to everything nssldap.
>
>
>
> The ldap.conf file on our RHEL boxes have the following entry
>
>
>
> nss_map_objectclass    posixAccount  User
>
> nss_map_attribute      uid           msSFUName
>
> nss_map_attribute      userPassword  msSFUPassword
>
> nss_map_attribute      homeDirectory msSFUHomeDirectory
>
>
>
> nss_map_objectclass    posixGroup    Group
>
> nss_map_attribute      cn            msSFUName
>
> nss_map_attribute      uniqueMember  memberUid
>
>
>
> In  our setup the memberUid in Active directory is not being populated
> anymore.
>
> Everything is pretty much being automated. When a new user is created in a
> group in  the nss_base_group object he will not appear when issueing "getent
> group groupname"
>
> Obviously this is to be expected as the memberUId field is not populated.
>
>
>
> An LDAP query shows that the user is specified in the Member object.
>
>
>
> When I change uniqueMember attribute to Member the new user is revealed
> when issueing "getent group groupname"
>
> However, the few users in the group who still have there memberUid set
> (the way it used to be done) appear twice.
>
>
>
> Why is that and how can I get unique results from just the member object?
>
>
>
> Hope it all makes sense
>
>
>
> Cheers
>
>
>
Free embeddable forum powered by Nabble Forum Help