Solaris LDAP group problem

cjhilinski · March 23, 2014, 10:41am

I have a test environment which is running RedHat 6.5 Identity management. On the lab network are two Solaris 10 (U11) machines. I can successfully log into the S10 machines using the ldap username/passwords. However, I have a problem with groups and although I found through an internet search one person who had the exact same problem back in 2009, there was not solution.

On the S10 machine, the only group listed for a user is his/her primary group. If you do "groups username," it returns only the primary group. If you do "id -a username," it also returns only the primary group. Yet if you do "ldaplist -l group \*" you get the entire list of groups with all of the users. And users only get access to directories for which their primary group has rights.

I suspect this is a small configuration thing (probably in ldap_client_file), but I can't find an answer.

bartus11 · March 23, 2014, 10:53am

Show us contents of /etc/nsswitch.conf .

cjhilinski · March 23, 2014, 11:42am

The relevant entries are:
passwd: files ldap
group: files ldap

Everything else except hosts (files dns) is set to files.

cjhilinski · March 26, 2014, 8:21am

Replacing this line in /var/ldap/ldap_client_file

NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=accounts,dc=aaa,dc=bbb,dc=dddd,dc=eee

with

NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=aaa,dc=bbb,dc=ddd,dc=eee

solved the problem. Note the change from "accounts" to "compat."