Hello

 

Thanks fort he hint!

 

I had to add

ldap_default_bind_dn

ldap_default_authtok

 

to my sssd.conf and it worked!

 

Strange is that groups and people can be resolved without the additional config. So groups and netgroups are handled differently.

 

Thanks a lot,

Tibor

 

Von: Mark Reynolds <mareynol@redhat.com>
Gesendet: Dienstag, 11. Januar 2022 15:00
An: General discussion list for the 389 Directory server project. <389-users@lists.fedoraproject.org>; Dudas Tibor ABRAXAS <Tibor.Dudas@abraxas.ch>
Betreff: Re: [389-users] getent netgroup <mynetgroup> yields no hits

 

 

On 1/11/22 2:51 AM, Dudas Tibor ABRAXAS wrote:

Hello

 

I would like to configure authentication and authorization via nisNetgroups in 389ds. With "getent" on the 389ds client I see my groups and my users. If I query the netgroup via "getent netgroup <my_netgroup>" I do not get any hit.

My netgroup you see below.

The log says:

tail -f /var/log/dirsrv/slapd-localhost/access
[29/Dec/2021:12:11:14.350690263 +0100] conn=851 op=13 SRCH base="ou=netgroup,dc=example,dc=com" scope=2 filter="(&(cn=qausers)(objectClass=nisNetgroup))" attrs="objectClass cn memberNisNetgroup nisNetgroupTriple modifyTimestamp [29/Dec/2021:12:11:14.351130562 +0100] conn=851 op=13 RESULT err=0 tag=101 nentries=0 wtime=0.000194950 optime=0.000443964 etime=0.000636159

The last entries mean:

err=0: no error
tag=101: it was a search
nentries=0: no hits for the search 

nentries=0 could also mean that access control denied the search results.  Since using Directory Manager below works that is a tell tail sign that the search that is failing above is either being done anonymously or by a user who does not have permission to search the database.  So look in the logs for conn=851 and find the BIND dn.

HTH,

Mark


But ldap search with the same parameters yields the netgroup:

ldapsearch -x -D "cn=Directory Manager" -W -H ldaps://server.example.com -b ou=netgroup,dc=example,dc=com "(&(cn=qausers)(objectClass=nisNetgroup))" objectClass cn memberNisNetgroup nisNetgroupTriple modifyTimestamp

dn: cn=qausers,ou=netgroup,dc=example,dc=com
objectClass: nisNetgroup
objectClass: top
cn: qausers
nisNetgroupTriple: (,alice,)
nisNetgroupTriple: (,eve,)
nisNetgroupTriple: (server.example.com,-,-)
nisNetgroupTriple: (server,-,-)
modifyTimestamp: 20211229105114Z

I replaced the real server name by server.example.com and deleted all quotes.

My nsswitch.conf contains

netgroup: files ldap sss

My sssd.conf contains:

ldap_netgroup_search_base = ou=netgroup,dc=example,dc=com
ldap_netgroup_object_class = nisNetgroup
ldap_netgroup_triple = nisNetgroupTriple

My 389ds-instance is created via

cat instance.inf
[general]
config_version = 2
[slapd]
root_password = my_pw
[backend-userroot]
sample_entries = yes
suffix = dc=example,dc=com

My client is configured via "authconfig-tui".

I already looked for special, normally unseen characters in the config files with "cat -vet /etc/sssd/sssd.conf" and "cat -vet /etc/nsswitch.conf", but did not find any.

Does it play a role, that the 389ds server and client see each other via entries in the /etc/hosts? I would assume "no", as getent can resolve both groups and users.

 

Can you help?

 

Best Regards, Tibor

 

--
Tibor Dudas
ICT-System-Ingenieur
Enterprise Applications

Abraxas Informatik AG

The Circle 68 | CH-8058 Zürich-Flughafen
Direkt +41 58 660 24 83
tibor.dudas@abraxas.ch | www.abraxas.ch



_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
-- 
Directory Server Development Team