HPE Community
Operating System - HP-UX
1833796 Members
2657 Online
110063 Solutions
New Discussion

No group membership with LDAP-UX

 
Don Mallory
Trusted Contributor

‎03-07-2006 03:26 AM

‎03-07-2006 03:26 AM

No group membership with LDAP-UX

Hi everyone,

I seem to have a strange little problem.

I have LDAP-UX 4.00.02 (on HP-UX11.11) connecting to an W2K active directory, it's connecting over SSL. Kerberos is able to authenticate users.

pwget shows all the users and their groups.
nsquery shows the same.
ldapsearch shows the entier info about the user, including all of the msSFU30PosixMemberOf groups the user is a member of.

Here's the problem:
grget shows the groups, with no members.
nsquery group groupname shows the group, with no members.
login as user, execute id, only shows the primary group from the passwd entry in the ldap directory.

So, any ideas?

Thanks,
Don
0 Kudos
2 REPLIES 2
Sameer_Nirmal
Honored Contributor

‎03-10-2006 07:59 PM

‎03-10-2006 07:59 PM

Re: No group membership with LDAP-UX

Hi,

This issue would occurs because of un-matched mapping of members of a group between ldap-ux client and ADS.

Check the mapping used by ldap-ux client using command
# /opt/ldapux/config/display_profile_cache

Change it to msSFU30PosixMember and check if you get result from grget.
0 Kudos
Don Mallory
Trusted Contributor

‎03-11-2006 03:07 AM

‎03-11-2006 03:07 AM

Re: No group membership with LDAP-UX

Thanks to Eric Wilford at HP support for this answer (Solution 2 works for my needs):

Getting 'grget' & 'newgrp' to work w LDAP-UX when using Win2K ADS DocId: MJFKBRC00013049 Updated: 9/16/03 4:41:00 PM

PROBLEM
LDAP-UX client services (HP product J4269AA, version 3.1) has been installed
and configured to authenticate users and groups with a Windows 2000 Active
Directory. Users are able to login through the Active Directory, however,
after the user has logged in, the command grget -n is
not returning the list of members of the group, for example:

After adding a user (rouser1) to a group (group1), the user (rouser1) does not
appear in the group's (group1) member list when running the following command
on the LDAP-UX Client:

$ grget -n group1
it returns:

group1:*:21:



and the command newgrp prompts for a password as should be expected
when a user who is not a member of the target group tries to change its gid to
this new group. However, the user in this case is a valid member of the group.

What changes are required for the grget and the newgrp commands
to work properly when used with an LDAP-UX Client and a Windows 2000 Active
Directory?




CONFIGURATION
HP-UX 11.x
LDAP-UX Client Services, version 3.1
Microsoft Windows 2000 w Active Directory + SFU 3.0



RESOLUTION

This problem has to do with the different attributes of a group object in
Active Directory that can be used to represent group members. When one examines
the Properties of a group in Active Directory, for example by using the
Active Directory Users and Groups administration window, one will notice
that members can be added in several locations. In the Windows Domain, group
members are usually added under the Members tab, their names are then
added as values assigned to the member attribute. Members can also be
added under the UNIX Attributes tab. This adds their names as values
assigned to the msSFU30PosixMember attribute.


The ldap-ux client default mapping for members of a group as shown by the
output of the /opt/ldapux/config/display_profile_cache command is:


members: msSFU30memberuid

But the Microsoft Admin tool does not create (or modify) this attribute for
the group when users are added to the group. Instead, the attribute created
is msSFU30PosixMember. The ldap-ux client profile could be modified to
use the mapping:

members: msSFU30PosixMember

However, now the result is that the command:

$ grget -n group1

returns more than the userids, it returns complete DN information for each
users. For example:

$ grget -n group1

group1:*:105:CN=user1,CN=Users,DC=rome,DC=cup,DC=hp,DC=com,CN=user2
,CN=Users,DC=rome,DC=cup,DC=hp,DC=com,CN=user3,CN=Users,DC=rome,DC=c
up,DC=hp,DC=com,CN=user4,CN=Users,DC=rome,DC=cup,DC=hp,DC=com

So, the solution is to use a different mapping, or to add the currently
mapped attribute, ie msSFU30memberuid and its values to the group entry in
Active Directory. Here are the steps for each of the 2 possible solutions:


Solution 1
Add the msSFU30MemberUid attribute to the group entry


To change the group attribute locally on the Active Directory, you need to use
the ADSI Editor. This tool is a snap-in which is part of the Windows
2000 Support Tools. It is available from the Windows 2000 Server
Installation CD. Once this editor is installed, you can run it as follows:

1) Start --> Run... --> type mmc at the command prompt.
2) Once the Microsoft Management Console pops up, click on Console
in the top menu bar, and choose "Add/Remove Snap-in..."
3) In the Add/Remove Snap-in dialogue box, Click Add, and select
"ADSI Edit."
You can then use the Management Console to add user names to the
msSFUMemberUid attribute one name at a time.

If you do not have access to the Microsoft Management Console you can change
the group attribute remotely using an ldap client tool. For example you can use
the command line tool ldapentry which is documented on page 84
of the Installing and Administering LDAP-UX Client Services - Edition 4,
Part Number J4269-90016. The ldapentry tool performs an ldapsearch
of the specified object and opens a vi session to let the user edit the
ldif entries. When changes have been saved, the user is asked if they want to
modify the entry. Answering 'y' causes ldapentry to update the LDAP
server (in this case, the Active Directory). Here's an example of an ldapentry
session to add the msSFU30memberuid attributes and its values
user1,user2,user3,user4 to group1 in Active Directory:

# cd /opt/ldapux/bin
# ./ldapentry -m -h brutus -D
"cn=administrator,cn=users,dc=rome,dc=cup,dc=hp,dc=com \
-w pass "cn=group1,cn=users,dc=rome,dc=cup,dc=hp,dc=com"

A 'vi' session is started containing the ldif entries for the 'cn=group1'.
Insert the lines shown below to the left of '<---add this line':

dn: CN=group1,CN=Users,DC=rome,DC=cup,DC=hp,DC=com
member:
.
.
msSFU30GidNumber: 105
msSFU30MemberUid: user1 <---add this line
msSFU30MemberUid: user2 <---add this line
msSFU30MemberUid: user3 <---add this line
msSFU30MemberUid: user4 <---add this line
msSFU30NisDomain: rome


When you save and exit from 'vi' answer 'y' to the following prompt:

Apply the changes and replace entry in directory? (y/n):y

modifying entry CN=group1,CN=Users,DC=rome,DC=cup,DC=hp,DC=com

Modified.

Test the 'grget' command, you should get a list of members:

# grget -n group1
group1:*:105:user1,user2,user3,user4


Solution 2
Change the ldapux client mapping to use 'member' attribute

This solution allows you to add users to the Members tab for the group,
rather than adding them to the UNIX Attributes tab when using the MS
Active Directory Admin tool.

1. Change the mapping in the client profile in the Directory:

# cd /opt/ldapux/bin
# ./ldapentry -m -h brutus -D
"cn=administrator,cn=users,dc=rome,dc=cup,dc=hp,dc=com" \
-w pass "cn=ldapuxprofile,CN=Configuration,DC=rome,DC=cup,DC=hp,DC=com"

Change the entry:

attributeMap: group:memberuid=msSFU30memberuid

to:

attributeMap: group:memberuid=member

Save the change and answer 'y' to update the directory.

2. Refresh the profile on the ldap-ux client:

The profile is cached and saved as a file on the ldap-ux client so it needs
to be updated. Download the updated profile as follows:

# /opt/ldapux/config/get_profile_entry -s nss -D \
"cn=administrator,cn=users,dc=rome,dc=cup,dc=hp,dc=com" -w pass

Have the ldapclientd re-read the profile:

# ./ldapclientd -r
Configuration reloaded.

3. Test the 'grget' command, you should get a list of members that have
been added to the Members tab in Active Directory:

# grget -n group1
group1:*:105:user1,user2,user3,user4


Note: According to Microsoft:

The following is the behaviour with regard to the msSFU30MemberUid and
msSFU30PosixMember group attributes in Active Directory:

When a group map entry is migrated into Active Directory, members of the group
who are already part of the domain are added to the msSFU30PosixMember
attribute. Members who don't exist in the domain are added with the
msSFU30MemberUid attribute. For example, if the following entry is
migrated to Active Directory:

group1:*:25:user1,user2,user5

In this entry, let's say user1 is part of an existing domain. But user2 and
user5 are not part of the domain. In this case user1 is added to the group
attribute msSFU30PosixMember and the other users are added to the group
attribute msSFU30MemberUid. If user2 is later added to the domain, user2
is then removed from the msSFU30MemberUid grouppattribute and added to
the msSFU30PosixMember group attribute.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.