I would like to configure authentication and authorization via nisNetgroups in 389ds. With "getent" on the 389ds client I see my groups and my users. If I query the netgroup via "getent netgroup <my_netgroup>" I do not get any hit.
My netgroup you see below.
The log says:
tail -f /var/log/dirsrv/slapd-localhost/access
[29/Dec/2021:12:11:14.350690263 +0100] conn=851 op=13 SRCH base="ou=netgroup,dc=example,dc=com" scope=2 filter="(&(cn=qausers)(objectClass=nisNetgroup))" attrs="objectClass cn memberNisNetgroup nisNetgroupTriple modifyTimestamp [29/Dec/2021:12:11:14.351130562 +0100] conn=851 op=13 RESULT err=0 tag=101 nentries=0 wtime=0.000194950 optime=0.000443964 etime=0.000636159
The last entries mean:
err=0: no error
tag=101: it was a search
nentries=0: no hits for the search
nentries=0 could also mean that access control denied the search results. Since using Directory Manager below works that is a tell tail sign that the search that is failing above is either being done anonymously or by a user who does not have permission to search the database. So look in the logs for conn=851 and find the BIND dn.
But ldap search with the same parameters yields the netgroup:
ldapsearch -x -D "cn=Directory Manager" -W -H ldaps://server.example.com -b ou=netgroup,dc=example,dc=com "(&(cn=qausers)(objectClass=nisNetgroup))" objectClass cn memberNisNetgroup nisNetgroupTriple modifyTimestamp
I replaced the real server name by server.example.com and deleted all quotes.
My nsswitch.conf contains
netgroup: files ldap sss
My sssd.conf contains:
ldap_netgroup_search_base = ou=netgroup,dc=example,dc=com
ldap_netgroup_object_class = nisNetgroup
ldap_netgroup_triple = nisNetgroupTriple
My 389ds-instance is created via
config_version = 2
root_password = my_pw
sample_entries = yes
suffix = dc=example,dc=com
My client is configured via "authconfig-tui".
I already looked for special, normally unseen characters in the config files with "cat -vet /etc/sssd/sssd.conf" and "cat -vet /etc/nsswitch.conf", but did not find any.
Does it play a role, that the 389ds server and client see each other via entries in the /etc/hosts? I would assume "no", as getent can resolve both groups and users.
Can you help?
Best Regards, Tibor
_______________________________________________ 389-users mailing list -- firstname.lastname@example.org To unsubscribe send an email to email@example.com Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://firstname.lastname@example.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
-- Directory Server Development Team