CUPS ldap group authentication not working

John A. Sullivan III jsullivan at opensourcedevel.com
Sat Feb 13 17:39:17 PST 2010


> >
> > --Apple-Mail-5-24893626
> > Content-Transfer-Encoding: quoted-printable
> > Content-Type: text/plain;
> > 	charset=us-ascii
> >
> > On Feb 13, 2010, at 11:15 AM, John A. Sullivan III wrote:
> > > ...
> > > If I leave SystemGroup at lpadmin and add john to lpadmin, it works as =
> > expected.  The problem seems to be the LDAP groups.  I do notice that =
> > getent group <groupname> on an LDAP group always returns an empty group =
> > whereas it returns populated local groups - John
> >
> >
> > Well, that's the reason it isn't working.  Either the nss_ldap plugin is =
> > buggy or there is a problem with the LDAP data keeping it from =
> > populating the group data.
> >
> > <snip>
> OK - at least I'm on the right track.  Unfortunately, I've been beating my head against the wall (or google more accurately) trying to learn what makes getent and LDAP groups get along and I've not yet solved it.  Would this be NSS mapping? Any pointers? Documents? Howtos? Thanks for the help - John

At long last I think I see it.  Directory Server has created groups with object class groupofuniquenames to which we have added an objectclass of posixgroup but it is only populated with uniquemember and not memberuid.  It looks like I have two options:

1) Define nss_map_objectclass posixgroup groupofuniquenames:
This works for getent group but seems to make id hang.  I think this also creates a problem in that the user groups, i.e., the posixgroup created for each uid, will not be mapped.

2) Define all the memberuids in each group:
This means an extra administrative step and exposure to human error.

My guess is that option 2 is the correct way to go.  Thanks - John




More information about the cups mailing list