[Samba] smbldap-showuser and ldapsearch can't show groups user belongs to.
Mauricio Tavares
raubvogel at gmail.com
Fri Sep 6 20:10:24 UTC 2019
On Fri, Sep 6, 2019 at 3:51 PM Andrew Bartlett <abartlet at samba.org> wrote:
>
> On Fri, 2019-09-06 at 15:14 -0400, Mauricio Tavares via samba wrote:
> > However, when I ask ldapsearch to tell me about raub,
> >
> > ldapsearch -vvv -H "ldaps://ldap.example.com" -D
> > "uid=admin,ou=People,dc=example,dc=com" -W -b "dc=example,dc=com" -s
> > sub "(uid=raub)"
> >
> > It will give me lots of exciting info about said user but not a
> > single
> > memberOf attribute.
>
> The rfc2307 mapping of unix group behaviour onto LDAP does not features
> member of memberof attributes, just as /etc/passwd does not store
> groups, but /etc/group stores group member usernames.
>
> AD has member/memberOf as linked attributes, but even there is it more
> complex, with nested groups only being fully calculated via the
> operational tokenGroups attribute on the user DN (as a base search) and
> only fully, finally resolved on a login via tokenGroups on the rootDSE.
>
> I hope this clarifies things,
>
It does. I guess I was used to rfc2307bis, which freeipa still
uses [1] even though (as I learned today) its draft has expired in
2010. [2]
[1] https://github.com/freeipa/freeipa/blob/master/ipaserver/plugins/migration.py
[2] https://tools.ietf.org/html/draft-howard-rfc2307bis-02
> Andrew Bartlett
>
> --
> Andrew Bartlett https://samba.org/~abartlet/
> Authentication Developer, Samba Team https://samba.org
> Samba Developer, Catalyst IT
> https://catalyst.net.nz/services/samba
>
>
>
More information about the samba
mailing list