Issue 34 in nsscache: /etc/group.cache lists group members with distinguished name instead of username

[nssc...@googlecode.com]

Status: New
Owner: ----
Labels: Type-Defect Priority-Medium

New issue 34 by glanzm...@gmail.com: /etc/group.cache lists group members
with distinguished name instead of username
https://code.google.com/p/nsscache/issues/detail?id=34

What steps will reproduce the problem?
1.Group definition in LDAP
dn: cn=thglanzm,ou=Groups,dc=domain,dc=de
objectClass: posixGroup
cn: thglanzm
gidNumber: 10074
memberUid: uid=thglanzm,ou=People,dc=domain,dc=de
structuralObjectClass: posixGroup
entryUUID: f3fffb3c-8994-1033-82c3-d574d9524b6e
creatorsName: cn=manager,dc=domain,dc=de
createTimestamp: 20140616112732Z
entryCSN: 20140616112732.904794Z#000000#000#000000
modifiersName: cn=manager,dc=domain,dc=de
modifyTimestamp: 20140616112732Z

2. Nsscache Configuration:
[DEFAULT]
source = ldap
cache = files
maps = passwd, group, shadow, sshkey
timestamp_dir = /var/lib/nsscache
ldap_uri = ldap://ldap1
ldap_base = dc=domain,dc=de
ldap_filter = (objectclass=posixAccount)
ldap_bind_dn = "cn=pam,dc=domain,dc=de"
ldap_bind_password = "password"
nssdb_dir = /var/lib/misc
files_dir = /etc
files_cache_filename_suffix = cache

[passwd]
ldap_base = ou=People,dc=domain,dc=de

[group]
ldap_base = ou=Groups,dc=domain,dc=de
ldap_filter = (objectclass=posixGroup)
rfc2307bis = 1

[shadow]
ldap_filter = (objectclass=shadowAccount)

[sshkey]
ldap_base = ou=People,dc=domain,dc=de

3. Run nsscache update and cat /etc/group
grep ^thglanzm /etc/group.cache
thglanzm:*:10074:uid=thglanzm,ou=People,dc=domain,dc=de


What is the expected output? What do you see instead?

Expected Output:
grep ^thglanzm /etc/group.cache
thglanzm:*:10074:thglanzm

I see instead:
grep ^thglanzm /etc/group.cache
thglanzm:*:10074:uid=thglanzm,ou=People,dc=domain,dc=de

What version of the product are you using? On what operating system?

I used the latest release nsscache-0.23.tar.gz and the git head as of
2014-09-07.

Please provide any additional information below.

I wrote a small patch which I assume is wrong because it fights the
symptoms instead of removes the root cause. Can someone who knows python
and knows the code base better, please write a proper patch?



Attachments:
0001-Write-username-instead-of-distinguished-names.patch 1.5 KB

--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings

[nssc...@googlecode.com]

Comment #1 on issue 34 by j...@spacepants.org: /etc/group.cache lists group

members with distinguished name instead of username
https://code.google.com/p/nsscache/issues/detail?id=34

I see you have rfc2370bis = 1 in the config; does that actually work?

[nssc...@googlecode.com]

Comment #2 on issue 34 by j...@spacepants.org: /etc/group.cache lists group

members with distinguished name instead of username
https://code.google.com/p/nsscache/issues/detail?id=34

It seems that if the patch in #8 was included, then there's no groups
support for 2307bis (yet)

[nssc...@googlecode.com]

Comment #3 on issue 34 by j...@spacepants.org: /etc/group.cache lists group

members with distinguished name instead of username
https://code.google.com/p/nsscache/issues/detail?id=34

I think this is working as unintended -- nsscache doesn't support
rfc2307bis out of the box, but this shold be fixed soon.

[nssc...@googlecode.com]

Updates:
Status: Fixed

Comment #4 on issue 34 by j...@spacepants.org: /etc/group.cache lists group

members with distinguished name instead of username
https://code.google.com/p/nsscache/issues/detail?id=34

Fixed in github master.

[Thomas Glanzmann]

Hello,

> I see you have rfc2370bis = 1 in the config; does that actually work?

I'm not sure. But the problem with the groups happened to me with or
without the 'rfc2370bis=1' thing. Currently I running my patch in
production without the 'rfc2370bis=1' in groups.

[DEFAULT]
source = ldap
cache = files
maps = passwd, group, shadow, sshkey
timestamp_dir = /var/lib/nsscache
ldap_uri = ldap://ldap1

ldap_base = dc=glanzmann,dc=de
ldap_filter = (objectclass=posixAccount)
ldap_bind_dn = cn=ldapsync,dc=glanzmann,dc=de

ldap_bind_password = password

nssdb_dir = /var/lib/misc
files_dir = /etc
files_cache_filename_suffix = cache

[passwd]

ldap_base = ou=People,dc=glanzmann,dc=de

[group]
ldap_base = ou=Groups,dc=glanzmann,dc=de
ldap_filter = (objectclass=posixGroup)

[shadow]
ldap_base = ou=People,dc=glanzmann,dc=de
ldap_filter = (objectclass=shadowAccount)

[sshkey]
ldap_base = ou=People,dc=glanzmann,dc=de
ldap_filter = (objectclass=ldapPublicKey)

Cheers,
Thomas

[Jamie Wilkinson]

Please try out the latest code from github.com/google/nsscache without your patch and let me knwo how it goes.

--
You received this message because you are subscribed to the Google Groups "nsscache-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nsscache-discu...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Thomas Glanzmann]

Hello Jamie,

> Please try out the latest code from github.com/google/nsscache without
> your patch and let me knwo how it goes.

I tried with and without 'rfc2370bis = 1' in [group] section, but it fails:

(mm1) [~/nsscache] git log | head -1
commit 724b1db88fc4dd2dbbb8d002da4adca0f9477acd
(mm1) [~/nsscache] /
(mm1) [~/nsscache] ./nsscache update -f
(mm1) [~/nsscache] head -1 /etc/group.cache
ldap:*:5002:uid=adyrdina,ou=People,dc=glanzmann,dc=de,uid=afoeldi,ou=People,dc=glanzmann,dc=de,uid=aherczig,ou=People,dc=glanzmann,dc=de,uid=alortizc,ou=People,dc=glanzmann,dc=de,uid=anboerne,ou=People,dc=glanzmann,dc=de,uid=anmandel,ou=People,dc=glanzmann,dc=de,uid=bcsontos,ou=People,dc=glanzmann,dc=de,uid=btsyrkin,ou=People,dc=glanzmann,dc=de,uid=caherrer,ou=People,dc=glanzmann,dc=de,uid=cstoth,ou=People,dc=glanzmann,dc=de,uid=dmenache,ou=People,dc=glanzmann,dc=de,uid=dzhuravl,ou=People,dc=glanzmann,dc=de,uid=fkuehlbu,ou=People,dc=glanzmann,dc=de,uid=flherzog,ou=People,dc=glanzmann,dc=de,uid=foltmann,ou=People,dc=glanzmann,dc=de,uid=fsantana,ou=People,dc=glanzmann,dc=de,uid=ggrutsch,ou=People,dc=glanzmann,dc=de,uid=ghasenfr,ou=People,dc=glanzmann,dc=de,uid=ghodi,ou=People,dc=glanzmann,dc=de,uid=hobreit,ou=People,dc=glanzmann,dc=de,uid=hsanche1,ou=People,dc=glanzmann,dc=de,uid=icastela,ou=People,dc=glanzmann,dc=de,uid=isrgonza,ou=People,dc=glanzmann,dc=de,uid=jrosetes,ou=People,dc=glanzmann,dc=de,uid=jsemperg,ou=People,dc=glanzmann,dc=de,uid=ldapbackup,ou=People,dc=glanzmann,dc=de,uid=ljaszai,ou=People,dc=glanzmann,dc=de,uid=mfankano,ou=People,dc=glanzmann,dc=de,uid=molmedom,ou=People,dc=glanzmann,dc=de,uid=mschelln,ou=People,dc=glanzmann,dc=de,uid=mvukovic,ou=People,dc=glanzmann,dc=de,uid=obrinker,ou=People,dc=glanzmann,dc=de,uid=psiegemu,ou=People,dc=glanzmann,dc=de,uid=rigruber,ou=People,dc=glanzmann,dc=de,uid=rkardano,ou=People,dc=glanzmann,dc=de,uid=rogdomin,ou=People,dc=glanzmann,dc=de,uid=rorenz,ou=People,dc=glanzmann,dc=de,uid=rromerol,ou=People,dc=glanzmann,dc=de,uid=sdelacer,ou=People,dc=glanzmann,dc=de,uid=sgombos,ou=People,dc=glanzmann,dc=de,uid=spadgaon,ou=People,dc=glanzmann,dc=de,uid=sstepano,ou=People,dc=glanzmann,dc=de,uid=svkempf,ou=People,dc=glanzmann,dc=de,uid=szpeter,ou=People,dc=glanzmann,dc=de,uid=thglanzm,ou=People,dc=glanzmann,dc=de,uid=tspeth,ou=People,dc=glanzmann,dc=de,uid=ttapsony,ou=People,dc=glanzmann,dc=de,uid=tthiel,ou=People,dc=glanzmann,dc=de,uid=vortegab,ou=People,dc=glanzmann,dc=de,uid=vtapiasi,ou=People,dc=glanzmann,dc=de,uid=zbucsko,ou=People,dc=glanzmann,dc=de,uid=zsonagy,ou=People,dc=glanzmann,dc=de

Cheers,
Thomas

[Jamie Wilkinson]

Can you turn on the verbosity and get some more logs when you run the nsscache update?

Cheers,
        Thomas