[389-users] getent group returns empty group list

John A. Sullivan III jsullivan at opensourcedevel.com
Sun Feb 14 01:34:40 UTC 2010


On Sat, 2010-02-13 at 16:58 -0500, John A. Sullivan III wrote:
> On Sat, 2010-02-13 at 12:11 -0800, Morris, Patrick wrote:
> > John A. Sullivan III wrote:
> > > Hello, all.  I'm having a miserable time getting CUPS to work with
> > > Directory Server for group authentication.  I think it is more
> > > fundamental than CUPS.  When I do getent group <groupname> to a local
> > > group, the result is populated with members.  However, if I do it for an
> > > LDAP group, the group is returned but with no members.  What would cause
> > > such behavior? Do I need something other than default NSS mappings?
> > >
> > > I am running CentOS Directory Server 8.1 on CentOS 5.4.  The client is
> > > running Debian Lenny.  Thanks - John
> > >   
> > 
> > The most likely reason is that how your system expects the groups to be 
> > set up (i.e, a list of usernames vs. a list of DNs, the objectClass to 
> > consider a Unix a group, etc.) does not match what your data actually 
> > looks like.
> > 
> > Without any data about how you've got things configured on the client 
> > and in the LDAp database, though, it's pretty hard to say where that 
> > disconnect might be.
> <snip>
> Any pointers to where to look, normal configurations, documents to read?
> We are a secure multi-tenant environment so various groups are in
> various portions of the tree.  This print server needs to service all
> clients and this is able to search from the root of the tree.  Thanks -
> John
<snip>
At long last I think I see it.  FDS has create groups with object class
groupofuniquenames to which we have added an objectclass of posixgroup
but it is only populated with uniquemember and not memberuid.  It looks
like I have two options:

1) Define nss_map_objectclass posixgroup groupofuniquenames:
This works for getent group but seems to make id hang.  I think this
also creates a problem in that the user groups, i.e., the posixgroup
created for each uid, will not be mapped.

2) Define all the memberuids in each group:
This means an extra administrative step (is there anyway to automate
this from the uniquemembers attribute?) and exposure to human error.

My guess is that option 2 is the correct way to go.  Is that true?
Thanks - John




More information about the 389-users mailing list