On Thu, 2008-05-08 at 08:43 +0200, Bas van der Vlies wrote:
> I have found the problem.  I am using 'memberNisNetgroup' atrribute. If i 
> use the 'nisNetgroupTriple' attribute it is working.  In NIS you can 
> specifiy groups and triples to nisnetgroup. So the padl nss-ldap library 
> handles this correctly and nss-ldapd/netgroup utility  only parses the 
> 'nisNetgroupTriple' attribute.

Actually, the way I read rfc2307, a nisNetgroup object has the following
possible member-like attributes:
  nisNetgroupTriple
    which may only contain (user, host, domain) triples
  memberNisNetgroup
    which contain references to other netgroups that are a part of this
    netgroup
nss-ldapd should parse entries like this. So having triples in the
memberNisNetgroup attribute isn't supported.

If you also have the triples in the memberNisNetgroup (and you really
want to keep that), you could add
  map netgroup nisNetgroupTriple memberNisNetgroup
to /etc/nss-ldapd.conf. This is a bit of a hack and not really
recommended. It's better to fix the contents of the directory.

This setup may give you warnings about unparseable triples (where
references to other netgroups are entered) and will result in more LDAP
lookups that you would expect (for each triplet it will also try a
lookup as netgroup).

For more information, see:
  http://www.ietf.org/rfc/rfc2307.txt
  http://ldap.akbkhome.com/index.php/objectclass/nisNetgroup.html

-- 
-- arthur - [EMAIL PROTECTED] - http://people.debian.org/~adejong --

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to