OK I Managed to get at least group memberships (somehow working): # getent group testers users; id john.doe testers:*:5001:cn=Dummy,uid=john.doe,ou=People,dc=marcher,dc=name users:*:5000:cn=Dummy,uid=john.doe,ou=People,dc=marcher,dc=name uid=1000(john.doe) gid=5000(users) groups=5000(users)
now, why doesn't it work so that I just have john.doe as a member but instead the full DN of the ldap object? still looking for ideas :) thanks, martin 2009/3/11 Martin <mar...@marcher.name>: > Hi, > > 2009/3/4 Dave Ewart <da...@ceu.ox.ac.uk>: >> You don't explicitly mention this, so I'll just drop this in here: >> typically, you need to set both pam_groupdn and pam_member_attribute in >> /etc/pam_ldap.conf > > i have set that: > > # egrep -v '^$|^#' /etc/pam_ldap.conf > base dc=marcher,dc=name > uri ldap://localhost > ldap_version 3 > pam_groupdn cn=testers,ou=Group,dc=marcher,dc=name > pam_member_attribute member > pam_password exop > nss_schema rfc2307bis > nss_map_attribute member memberUid > > also these are the infos I'm getting from pam_ldap right now. I start > to think I'm in the wrong place with my config (pam_ldap is the right > place not nss-ldap.conf right?). > > > anyone with ideas? > > # getent group|grep 500 > users:*:5000:john.doe > testers:*:5001: > > # getent passwd|grep john > john.doe:x:1000:5000:,,,:/home/exuser:/bin/bash > > # ldapsearch -LLL -x '(gidnumber=*)' > dn: uid=john.doe,ou=People,dc=marcher,dc=name > uid: john.doe > cn: Example User > objectClass: account > objectClass: posixAccount > objectClass: hostObject > objectClass: authorizedServiceObject > objectClass: top > objectClass: shadowAccount > loginShell: /bin/bash > uidNumber: 1000 > homeDirectory: /home/exuser > gecos: ,,, > host: * > authorizedService: * > gidNumber: 5000 > > dn: cn=users,ou=Group,dc=marcher,dc=name > gidNumber: 5000 > objectClass: groupOfNames > objectClass: top > objectClass: posixGroup > member: cn=Dummy > member: uid=john.doe,ou=People,dc=marcher,dc=name > cn: users > memberUid: john.doe > > dn: cn=testers,ou=Group,dc=marcher,dc=name > objectClass: groupOfNames > objectClass: top > objectClass: posixGroup > cn: testers > member: cn=Dummy > member: uid=john.doe,ou=People,dc=marcher,dc=name > gidNumber: 5001 > > > -- > http://soup.alt.delete.co.at > http://www.xing.com/profile/Martin_Marcher > http://www.linkedin.com/in/martinmarcher > > You are not free to read this message, > by doing so, you have violated my licence > and are required to urinate publicly. Thank you. > > Please avoid sending me Word or PowerPoint attachments. > See http://www.gnu.org/philosophy/no-word-attachments.html > -- http://soup.alt.delete.co.at http://www.xing.com/profile/Martin_Marcher http://www.linkedin.com/in/martinmarcher You are not free to read this message, by doing so, you have violated my licence and are required to urinate publicly. Thank you. Please avoid sending me Word or PowerPoint attachments. See http://www.gnu.org/philosophy/no-word-attachments.html -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
