Hello
Thanks fort he hint!
I had to add
ldap_default_bind_dn
ldap_default_authtok
to my sssd.conf and it worked!
Strange is that groups and people can be resolved without the additional config. So groups
and netgroups are handled differently.
Thanks a lot,
Tibor
Von: Mark Reynolds <mareynol(a)redhat.com>
Gesendet: Dienstag, 11. Januar 2022 15:00
An: General discussion list for the 389 Directory server project.
<389-users(a)lists.fedoraproject.org>; Dudas Tibor ABRAXAS
<Tibor.Dudas(a)abraxas.ch>
Betreff: Re: [389-users] getent netgroup <mynetgroup> yields no hits
On 1/11/22 2:51 AM, Dudas Tibor ABRAXAS wrote:
Hello
I would like to configure authentication and authorization via nisNetgroups in 389ds. With
"getent" on the 389ds client I see my groups and my users. If I query the
netgroup via "getent netgroup <my_netgroup>" I do not get any hit.
My netgroup you see below.
The log says:
tail -f /var/log/dirsrv/slapd-localhost/access
[29/Dec/2021:12:11:14.350690263 +0100] conn=851 op=13 SRCH
base="ou=netgroup,dc=example,dc=com" scope=2
filter="(&(cn=qausers)(objectClass=nisNetgroup))" attrs="objectClass cn
memberNisNetgroup nisNetgroupTriple modifyTimestamp [29/Dec/2021:12:11:14.351130562 +0100]
conn=851 op=13 RESULT err=0 tag=101 nentries=0 wtime=0.000194950 optime=0.000443964
etime=0.000636159
The last entries mean:
err=0: no error
tag=101: it was a search
nentries=0: no hits for the search
nentries=0 could also mean that access control denied the search results. Since using
Directory Manager below works that is a tell tail sign that the search that is failing
above is either being done anonymously or by a user who does not have permission to search
the database. So look in the logs for conn=851 and find the BIND dn.
HTH,
Mark
But ldap search with the same parameters yields the netgroup:
ldapsearch -x -D "cn=Directory Manager" -W -H
ldaps://server.example.com -b
ou=netgroup,dc=example,dc=com "(&(cn=qausers)(objectClass=nisNetgroup))"
objectClass cn memberNisNetgroup nisNetgroupTriple modifyTimestamp
dn: cn=qausers,ou=netgroup,dc=example,dc=com
objectClass: nisNetgroup
objectClass: top
cn: qausers
nisNetgroupTriple: (,alice,)
nisNetgroupTriple: (,eve,)
nisNetgroupTriple: (server.example.com,-,-)
nisNetgroupTriple: (server,-,-)
modifyTimestamp: 20211229105114Z
I replaced the real server name by
server.example.com and deleted all quotes.
My nsswitch.conf contains
netgroup: files ldap sss
My sssd.conf contains:
ldap_netgroup_search_base = ou=netgroup,dc=example,dc=com
ldap_netgroup_object_class = nisNetgroup
ldap_netgroup_triple = nisNetgroupTriple
My 389ds-instance is created via
cat instance.inf
[general]
config_version = 2
[slapd]
root_password = my_pw
[backend-userroot]
sample_entries = yes
suffix = dc=example,dc=com
My client is configured via "authconfig-tui".
I already looked for special, normally unseen characters in the config files with
"cat -vet /etc/sssd/sssd.conf" and "cat -vet /etc/nsswitch.conf", but
did not find any.
Does it play a role, that the 389ds server and client see each other via entries in the
/etc/hosts? I would assume "no", as getent can resolve both groups and users.
Can you help?
Best Regards, Tibor
--
Tibor Dudas
ICT-System-Ingenieur
Enterprise Applications
Abraxas Informatik AG
The Circle 68 | CH-8058 Zürich-Flughafen
Direkt +41 58 660 24 83
tibor.dudas@abraxas.ch<mailto:tibor.dudas@abraxas.ch> |
www.abraxas.ch<http://www.abraxas.ch>
[cid:image001.png@01D80700.94C7DBF0]<https://www.abraxas.ch/de/>
_______________________________________________
389-users mailing list --
389-users@lists.fedoraproject.org<mailto:389-users@lists.fedoraproject.org>
To unsubscribe send an email to
389-users-leave@lists.fedoraproject.org<mailto:389-users-leave@lists.fedoraproject.org>
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
--
Directory Server Development Team