[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: Problems with nss_ldap and group membership
- From: Nalin Dahyabhai <nalin redhat com>
- To: fedora-test-list redhat com
- Subject: Re: Problems with nss_ldap and group membership
- Date: Fri, 7 May 2004 14:30:54 -0400
On Fri, May 07, 2004 at 09:58:26AM -0400, Gary Molenkamp wrote:
> I'm testing nss_ldap under FC2t3 and have run into a problem with using
> groups under nss_ldap.
>
> In my ldap server I have:
>
> cn=A,ou=Person,dc=exmaple,dc=com
> uidNumber: 130000
> gidNumber: 130000
>
> cn=A,ou=Group,dc=exmaple,dc=com
> gidNumber: 130000
>
> cn=App_users,ou=Group,dc=exmaple,dc=com
> gidNumber: 1000
> MemberUID: 130000
>
> I have nsswitch.conf, /etc/pam.d/sshd configured to allow logins, etc.
> Such that:
> getent passwd A
> A:x:130000:500::/home/A:/bin/bash
>
> getent group A
> A:x:130000:
>
> getent group App_user
> App_user:x:1000:130000
>
> The problem is for file access control based on group membership. ie:
>
> drxwrxw--- root App_users /tmp/testing/
>
> is not searchable by user A. Changing group membership of the directory
> to A's primary group works, as does changing ownership of the directory to
> A.
>
> Have I missed something?
The "memberUid" attribute of your posixGroup object should include the
user's login name (the "uid" attribute from the user's posixAccount
object instead of its "uidNumber" attribute). Change "memberUid: 130000"
to "memberUid: A", and it should work.
HTH,
Nalin
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]