topic Re: LDAP netgroup problem in Operating System - HP-UX

LDAP netgroup problem

alec pringle — Wed, 02 Mar 2005 12:56:19 GMT

I have configured my LDAP client to connect to Sun Directory Server and this works OK. However, I would now like to use netgroups which is where I'm having trouble. To do this I've changed the following files

/etc/nsswitch.conf (has the following edits):

passwd: compat
passwd_compat: ldap
netgroup: files ldap

/etc/passwd (has the following entry at the end):

+@testgrp

/etc/pam.conf (has the following edits):

login account required /usr/lib/security/libpam_authz.1 debug

(this is repeated for each entry in Authentication management)

...and I have created a netgroup on my LDAP server with the nisnetgrouptriple:
(server,username,domain)

I know the LDAP server netgroup entry is set up OK, as I can access it from a solaris client (although obviously with a different triple).

When I try to connect, my syslog shows entries like:
login: pam_authenticate: error No account present for user
login: exiting with return code 13

..but I can confirm that the LDAP client connects fine if I back out the netgroup change. By the way I have tried restarting the LDAP client just in case there is a caching issue. I'm stuck where to go next with this, has anyone got any ideas?

Re: LDAP netgroup problem

RAC_1 — Wed, 02 Mar 2005 13:47:24 GMT

hoe does the group directive in /etc/nsswitch.conf look like?? Does it point to ldap??

Is this client a hp-ux machine?? If yes can you do "grget -n testgrp"

Anil

Re: LDAP netgroup problem

alec pringle — Thu, 03 Mar 2005 04:57:31 GMT

OK,

nsswitch.conf has the following entry for group

group: files ldap

the grget works OK if I run grget -n staff, and returns:

staff:*:10

This response is definitely from LDAP as the group only exists in the directory. Note that testgrp is a netgroup and not a unix group and so doesn't return anything from grget. I can confirm that this is an HP-UX client that I am having difficulty with, the other client that I have successfully configured to use netgroups is a Solaris one.

I have tried pwget and nsquery commands for an LDAP user, but this returns nothing which could be the root of the problem. If I change the entry for passwd in nsswitch.conf back to:

passwd: files ldap

..then the pwget and nsquery commands work fine.

Re: LDAP netgroup problem

LEGOLL Patrick — Thu, 03 Mar 2005 05:12:56 GMT

We had the same problem and it was because the cn was stored in upper case in the ldap directory.
A snoop from the server side helped us to identify the origin of the problem.

Re: LDAP netgroup problem

alec pringle — Thu, 03 Mar 2005 05:59:10 GMT

Thanks,

the cn is definitely in lowercase, the same as in my /etc/passwd file so I think that is OK. A snoop isn't giving me too much unfortunately as I'm running over SSL. I've tried running the beq tool (from /opt/ldapux/contrib/bin) which shows I've got a problem. If I use this to query a group for example it returns OK:

./beq -k n -s grp -l /usr/lib/libnss_ldap.1 staff
nss_status .............. NSS_SUCCESS
gr_name...........(staff)
gr_passwd.........(*)
gr_gid............(10)
gr_mem
()

but if I try and query netgroup in a similar way

./beq -k n -s ngp -l /usr/lib/libnss_ldap.1 tempgrp
nss_status .............. NSS_TRY_AGAIN
NETGROUP - did not find ({},{},{}) in {tempgrp}

I have checked that my profile is pointing to the right place for netgroups.

Re: LDAP netgroup problem

RAC_1 — Thu, 03 Mar 2005 06:33:00 GMT

Is /etc/logingroup file linked to /etc/group??

Anil

Re: LDAP netgroup problem

alec pringle — Thu, 03 Mar 2005 07:22:54 GMT

there is no logingroup, I have tried creating this (as a hard link) but this hasn't sorted the problem.

Re: LDAP netgroup problem

RAC_1 — Thu, 03 Mar 2005 08:22:10 GMT

Is there a ldap command that you can use to resolve a netgroup entry from client?? If there is one, run and you should be able to resolve testgrp from client.

Anil

Re: LDAP netgroup problem

alec pringle — Thu, 03 Mar 2005 09:32:53 GMT

there is the utility /opt/ldapux/contrib/bin/beq, however this goes straight to the libraries and doesn't query nsswitch.conf. I can now successfully get a reply using this:

unixdev03:bin # ./beq -k n -s ngp -l /usr/lib/libnss_ldap.1 testgrp
nss_status .............. NSS_SUCCESS aka NSS_NETGR_FOUND
NETGROUP - found ({},{},{}) in {testgrp}

...however I can't see my user from an nsquery:

unixdev03:bin # nsquery passwd pringlea

Using "compat" for the passwd policy.

Searching compat for pringlea
pringlea was NOTFOUND

Switch configuration: Allows fallback

All name services have been searched

...even though my nsswitch.conf and passwd files look OK.

I'm wondering if the problem is with the LDAP netgroup itself. There is a migration script for NIS to LDAP in /opt/ldapux/migrate/migrate_netgroup.pl, which adds the field memberNisNetGroup, and I don't have this field in my netgroup testgrp. I've tried adding it and putting in the full location of the user, but this hasn't resolved the problem. Does anyone know the syntax for this field (does it need to be the full cn, does it need brackets etc)

Re: LDAP netgroup problem

RAC_1 — Thu, 03 Mar 2005 09:38:09 GMT

Can you post whole of your nsswitch.conf??
passwd directive should be as follows.

passwd : file [NOTFOUND=continue] ldap

Anil

Re: LDAP netgroup problem

alec pringle — Thu, 03 Mar 2005 09:58:34 GMT

my nsswitch.conf is attached. In order to read /etc/passwd I need to have the entry

passwd: compat
passwd_compat: ldap

Re: LDAP netgroup problem

RAC_1 — Thu, 03 Mar 2005 12:48:00 GMT

I think you do not neeed as follows.
passwd : compact
passwd_compact : ldap

You just need one entry.
passwd : files [NOTFOUND=continue] ldap

Anil

Re: LDAP netgroup problem

alec pringle — Thu, 03 Mar 2005 13:20:12 GMT

I tried that and it working - thanks for all your help today!

Re: LDAP netgroup problem

alec pringle — Thu, 03 Mar 2005 13:25:55 GMT

solution was to edit /etc/nsswitch.conf to read:

passwd: files [NOTFOUND=continue] ldap