getent / group / LDAP problem
Pat Riehecky
prieheck at iwu.edu
Fri May 30 19:33:23 UTC 2008
On Wed, 2008-05-28 at 13:51 -0400, Ryan Golhar wrote:
> Hi all,
>
> I have RHEL 5 running as an LDAP server, and am trying to configure a
> second server to mimic the first one. I have created multiple groups in
> LDAP and assigned various users to these groups. On the second server,
> running 'id' from the shell doesn't show those secondary groups.
What LDAP product are you using (openldap, FDS, Apache DS, etc)
>
> I thought there might be something wrong with nsswitch.conf, but 'getent
> group' is reporting the secondary groups and the users but with a 'x' in
> the second field:
RHEL provides a nifty lazy tool system-config-authentication which in my
experience works 100% of the time with LDAP. You may want to give it a
look for the setup bits, it eliminates typos and is all around
successful.
>
> users:x:500:user1,user2,user3
>
> whereas on the first server, I see:
>
> users:*:500:user1,user2,user3
> Why the difference in the second field?
This is just different shadow syntax, both of these point the password
field to gshadow, nothing to worry about
>
> 'id' doesn't report the secondary groups either. 'id' on the first LDAP
> server shows something like:
>
> uid=501(golharam) gid=501(sansuser)
> groups=500(users),501(sansuser),85(cvs) context=user_u:system_r:unconfined_t
>
> On the second LDAP server, I get:
> uid=501(golharam) gid=500(users) groups=500(users)
> context=user_u:system_r:unconfined_t
>
> There should be a second group as 'cvs' with gid=85. Does anyone know
> why I wouldn't see secondary groups in my second LDAP server?
This very much depends on how exactly the entry is listed in your ldap database.
Pat
More information about the redhat-list
mailing list