[Samba] smbldap-showuser and ldapsearch can't show groups user belongs to.
raubvogel at gmail.com
Fri Sep 6 20:10:24 UTC 2019
On Fri, Sep 6, 2019 at 3:51 PM Andrew Bartlett <abartlet at samba.org> wrote:
> On Fri, 2019-09-06 at 15:14 -0400, Mauricio Tavares via samba wrote:
> > However, when I ask ldapsearch to tell me about raub,
> > ldapsearch -vvv -H "ldaps://ldap.example.com" -D
> > "uid=admin,ou=People,dc=example,dc=com" -W -b "dc=example,dc=com" -s
> > sub "(uid=raub)"
> > It will give me lots of exciting info about said user but not a
> > single
> > memberOf attribute.
> The rfc2307 mapping of unix group behaviour onto LDAP does not features
> member of memberof attributes, just as /etc/passwd does not store
> groups, but /etc/group stores group member usernames.
> AD has member/memberOf as linked attributes, but even there is it more
> complex, with nested groups only being fully calculated via the
> operational tokenGroups attribute on the user DN (as a base search) and
> only fully, finally resolved on a login via tokenGroups on the rootDSE.
> I hope this clarifies things,
It does. I guess I was used to rfc2307bis, which freeipa still
uses  even though (as I learned today) its draft has expired in
> Andrew Bartlett
> Andrew Bartlett https://samba.org/~abartlet/
> Authentication Developer, Samba Team https://samba.org
> Samba Developer, Catalyst IT
More information about the samba