HPE Community
Operating System - HP-UX
1822582 Members
3380 Online
109642 Solutions
New Discussion юеВ

Re: LDAP netgroup problem

 
SOLVED
Go to solution
alec pringle
Frequent Advisor

тАО03-02-2005 04:56 AM

тАО03-02-2005 04:56 AM

LDAP netgroup problem

I have configured my LDAP client to connect to Sun Directory Server and this works OK. However, I would now like to use netgroups which is where I'm having trouble. To do this I've changed the following files

/etc/nsswitch.conf (has the following edits):

passwd: compat
passwd_compat: ldap
netgroup: files ldap

/etc/passwd (has the following entry at the end):

+@testgrp

/etc/pam.conf (has the following edits):

login account required /usr/lib/security/libpam_authz.1 debug

(this is repeated for each entry in Authentication management)

...and I have created a netgroup on my LDAP server with the nisnetgrouptriple:
(server,username,domain)

I know the LDAP server netgroup entry is set up OK, as I can access it from a solaris client (although obviously with a different triple).

When I try to connect, my syslog shows entries like:
login: pam_authenticate: error No account present for user
login: exiting with return code 13

..but I can confirm that the LDAP client connects fine if I back out the netgroup change. By the way I have tried restarting the LDAP client just in case there is a caching issue. I'm stuck where to go next with this, has anyone got any ideas?


0 Kudos
13 REPLIES 13
RAC_1
Honored Contributor

тАО03-02-2005 05:47 AM

тАО03-02-2005 05:47 AM

Re: LDAP netgroup problem

hoe does the group directive in /etc/nsswitch.conf look like?? Does it point to ldap??

Is this client a hp-ux machine?? If yes can you do "grget -n testgrp"

Anil
There is no substitute to HARDWORK
0 Kudos
alec pringle
Frequent Advisor

тАО03-02-2005 08:57 PM

тАО03-02-2005 08:57 PM

Re: LDAP netgroup problem

OK,

nsswitch.conf has the following entry for group

group: files ldap

the grget works OK if I run grget -n staff, and returns:

staff:*:10

This response is definitely from LDAP as the group only exists in the directory. Note that testgrp is a netgroup and not a unix group and so doesn't return anything from grget. I can confirm that this is an HP-UX client that I am having difficulty with, the other client that I have successfully configured to use netgroups is a Solaris one.

I have tried pwget and nsquery commands for an LDAP user, but this returns nothing which could be the root of the problem. If I change the entry for passwd in nsswitch.conf back to:

passwd: files ldap

..then the pwget and nsquery commands work fine.
0 Kudos
LEGOLL Patrick
New Member

тАО03-02-2005 09:12 PM

тАО03-02-2005 09:12 PM

Re: LDAP netgroup problem

We had the same problem and it was because the cn was stored in upper case in the ldap directory.
A snoop from the server side helped us to identify the origin of the problem.
0 Kudos
alec pringle
Frequent Advisor

тАО03-02-2005 09:59 PM

тАО03-02-2005 09:59 PM

Re: LDAP netgroup problem

Thanks,

the cn is definitely in lowercase, the same as in my /etc/passwd file so I think that is OK. A snoop isn't giving me too much unfortunately as I'm running over SSL. I've tried running the beq tool (from /opt/ldapux/contrib/bin) which shows I've got a problem. If I use this to query a group for example it returns OK:


./beq -k n -s grp -l /usr/lib/libnss_ldap.1 staff
nss_status .............. NSS_SUCCESS
gr_name...........(staff)
gr_passwd.........(*)
gr_gid............(10)
gr_mem
()

but if I try and query netgroup in a similar way

./beq -k n -s ngp -l /usr/lib/libnss_ldap.1 tempgrp
nss_status .............. NSS_TRY_AGAIN
NETGROUP - did not find ({},{},{}) in {tempgrp}

I have checked that my profile is pointing to the right place for netgroups.
0 Kudos
RAC_1
Honored Contributor

тАО03-02-2005 10:33 PM

тАО03-02-2005 10:33 PM

Re: LDAP netgroup problem

Is /etc/logingroup file linked to /etc/group??

Anil
There is no substitute to HARDWORK
0 Kudos
alec pringle
Frequent Advisor

тАО03-02-2005 11:22 PM

тАО03-02-2005 11:22 PM

Re: LDAP netgroup problem

there is no logingroup, I have tried creating this (as a hard link) but this hasn't sorted the problem.
0 Kudos
RAC_1
Honored Contributor

тАО03-03-2005 12:22 AM

тАО03-03-2005 12:22 AM

Re: LDAP netgroup problem

Is there a ldap command that you can use to resolve a netgroup entry from client?? If there is one, run and you should be able to resolve testgrp from client.

Anil
There is no substitute to HARDWORK
0 Kudos
alec pringle
Frequent Advisor

тАО03-03-2005 01:32 AM

тАО03-03-2005 01:32 AM

Re: LDAP netgroup problem

there is the utility /opt/ldapux/contrib/bin/beq, however this goes straight to the libraries and doesn't query nsswitch.conf. I can now successfully get a reply using this:

unixdev03:bin # ./beq -k n -s ngp -l /usr/lib/libnss_ldap.1 testgrp
nss_status .............. NSS_SUCCESS aka NSS_NETGR_FOUND
NETGROUP - found ({},{},{}) in {testgrp}

...however I can't see my user from an nsquery:

unixdev03:bin # nsquery passwd pringlea

Using "compat" for the passwd policy.

Searching compat for pringlea
pringlea was NOTFOUND

Switch configuration: Allows fallback

All name services have been searched

...even though my nsswitch.conf and passwd files look OK.

I'm wondering if the problem is with the LDAP netgroup itself. There is a migration script for NIS to LDAP in /opt/ldapux/migrate/migrate_netgroup.pl, which adds the field memberNisNetGroup, and I don't have this field in my netgroup testgrp. I've tried adding it and putting in the full location of the user, but this hasn't resolved the problem. Does anyone know the syntax for this field (does it need to be the full cn, does it need brackets etc)
0 Kudos
RAC_1
Honored Contributor

тАО03-03-2005 01:38 AM

тАО03-03-2005 01:38 AM

Solution

Re: LDAP netgroup problem

Can you post whole of your nsswitch.conf??
passwd directive should be as follows.

passwd : file [NOTFOUND=continue] ldap

Anil
There is no substitute to HARDWORK
0 Kudos
alec pringle
Frequent Advisor

тАО03-03-2005 01:58 AM

тАО03-03-2005 01:58 AM

Re: LDAP netgroup problem

my nsswitch.conf is attached. In order to read /etc/passwd I need to have the entry

passwd: compat
passwd_compat: ldap

0 Kudos
RAC_1
Honored Contributor

тАО03-03-2005 04:48 AM

тАО03-03-2005 04:48 AM

Re: LDAP netgroup problem

I think you do not neeed as follows.
passwd : compact
passwd_compact : ldap


You just need one entry.
passwd : files [NOTFOUND=continue] ldap

Anil
There is no substitute to HARDWORK
0 Kudos
alec pringle
Frequent Advisor

тАО03-03-2005 05:20 AM

тАО03-03-2005 05:20 AM

Re: LDAP netgroup problem

I tried that and it working - thanks for all your help today!
0 Kudos
alec pringle
Frequent Advisor

тАО03-03-2005 05:25 AM

тАО03-03-2005 05:25 AM

Re: LDAP netgroup problem

solution was to edit /etc/nsswitch.conf to read:

passwd: files [NOTFOUND=continue] ldap
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.