LDAP and netgroup

[Kevin Collins]

Hi,

I am in the process of evaluating a migration from NIS to LDAP and I'm
seeing a couple of problems. Wondering if anyone else has seen them. My current
setup involves only RedHat 9.0 with its supplied OpenLDAP server, but I will
soon be adding HP-UX to the mix.

Problem 1)

If I have nscd (Name Service Cache Daemon) stopped, and have set "hosts: ldap"
in nsswitch.conf, many commands will immediately segfault. I first saw it with
"ping", but most other commands follow suit. I discovered the cause by using
"strace ping" and saw hundreds of messages about the nscd pipe not existing.
The second part of this problem is that within a couple minutes, the system
grinds to a complete halt.

Problem 2)

We make heavy use of netgroup via NIS and so far my testing is showing that
netgroup use via LDAP is not working. If I try to use "passwd: compat" and
attempt to login via a user id in a defined netgroup in /etc/passwd, I am
unable to login and /var/log/messages shows that the system cannot resolve the
user id. Same thing when I try to use netgroup in a .rhosts file.

I can successfully query all the data for netgroup with "ldapsearch", so I know
that is not the problem.

Normal authentication and hosts resolution appear to be working fine...

Can anyone shed some light on these issues and share any other issues/concerns
that have come up when migrating NIS to LDAP? Almost all of the online
documentation is old and/or vague, especially with regards to netgroup usage.

Thanks,

Kevin

[Jonathan Abbey]

In article <slrncd0vkv.vp1.spamtotrash@doom.unix-guy.com>,
Kevin Collins <spamtotrash@toomuchfiction.com> wrote:
| Problem 2)
|
| We make heavy use of netgroup via NIS and so far my testing is showing that
| netgroup use via LDAP is not working. If I try to use "passwd: compat" and
| attempt to login via a user id in a defined netgroup in /etc/passwd, I am
| unable to login and /var/log/messages shows that the system cannot resolve the
| user id. Same thing when I try to use netgroup in a .rhosts file.
|
| I can successfully query all the data for netgroup with "ldapsearch", so I know
| that is not the problem.
|
| Normal authentication and hosts resolution appear to be working fine...
|
| Can anyone shed some light on these issues and share any other issues/concerns
| that have come up when migrating NIS to LDAP? Almost all of the online
| documentation is old and/or vague, especially with regards to netgroup usage.

We're trying the same thing here right now. It appears that the
Solaris nss_ldap module uses some kind of mangled query dialect when
querying for netgroups that will not work with OpenLDAP, though one
supposes it does work under the SunONE Directory Server.

PADL.com's nss_ldap doesn't provide support for netgroups under LDAP
at all, from comments Luke Howard has made on various mailing lists,
so it appears that if you want to get netgroups working on Solaris
under LDAP the choices are to license Sun's LDAP server or to tackle
the project of adding support for netgroups to PADL's nss_ldap and
making sure that all of your clients are running with it.

This is incredibly frustrating.. it's 2004, and we're still having to
run NIS? Ugh.

| Thanks,
|
| Kevin

--
-------------------------------------------------------------------------------
Jonathan Abbey [email]jonabbey@arlut.utexas.edu[/email]
Applied Research Laboratories The University of Texas at Austin
GPG Key: 71767586 at keyserver pgp.mit.edu, [url]http://www.ganymeta.org/workkey.gpg[/url]

[Kevin Collins]

In article <car0a2$s73@csdsun1.arlut.utexas.edu>, Jonathan Abbey wrote:

> In article <slrncd0vkv.vp1.spamtotrash@doom.unix-guy.com>,
> Kevin Collins <spamtotrash@toomuchfiction.com> wrote:
>| Problem 2)
>|
>| We make heavy use of netgroup via NIS and so far my testing is showing that
>| netgroup use via LDAP is not working. If I try to use "passwd: compat" and
>| attempt to login via a user id in a defined netgroup in /etc/passwd, I am
>| unable to login and /var/log/messages shows that the system cannot resolve the
>| user id. Same thing when I try to use netgroup in a .rhosts file.
>|
>| I can successfully query all the data for netgroup with "ldapsearch", so I know
>| that is not the problem.
>|
>| Normal authentication and hosts resolution appear to be working fine...
>|
>| Can anyone shed some light on these issues and share any other issues/concerns
>| that have come up when migrating NIS to LDAP? Almost all of the online
>| documentation is old and/or vague, especially with regards to netgroup usage.
>
> We're trying the same thing here right now. It appears that the
> Solaris nss_ldap module uses some kind of mangled query dialect when
> querying for netgroups that will not work with OpenLDAP, though one
> supposes it does work under the SunONE Directory Server.
>
> PADL.com's nss_ldap doesn't provide support for netgroups under LDAP
> at all, from comments Luke Howard has made on various mailing lists,
> so it appears that if you want to get netgroups working on Solaris
> under LDAP the choices are to license Sun's LDAP server or to tackle
> the project of adding support for netgroups to PADL's nss_ldap and
> making sure that all of your clients are running with it.
>
> This is incredibly frustrating.. it's 2004, and we're still having to
> run NIS? Ugh.

Thanks for the response - we are not using Solaris, only Linux and HP-UX, both
of which are PADL-based.

We are near the limits with netgroup, which is one of the key motivators in
looking at LDAP, so it really sucks that this isn't a viable option yet.

Kevin

[Kevin Collins]

In article <slrncd3imr.5dd.spamtotrash@doom.unix-guy.com>, Kevin Collins wrote:

> In article <car0a2$s73@csdsun1.arlut.utexas.edu>, Jonathan Abbey wrote:

>> In article <slrncd0vkv.vp1.spamtotrash@doom.unix-guy.com>,
>> Kevin Collins <spamtotrash@toomuchfiction.com> wrote:
>>| Problem 2)
>>|
>>| We make heavy use of netgroup via NIS and so far my testing is showing that
>>| netgroup use via LDAP is not working. If I try to use "passwd: compat" and
>>| attempt to login via a user id in a defined netgroup in /etc/passwd, I am
>>| unable to login and /var/log/messages shows that the system cannot resolve the
>>| user id. Same thing when I try to use netgroup in a .rhosts file.
>>|
>>| I can successfully query all the data for netgroup with "ldapsearch", so I know
>>| that is not the problem.
>>|
>>| Normal authentication and hosts resolution appear to be working fine...
>>|
>>| Can anyone shed some light on these issues and share any other issues/concerns
>>| that have come up when migrating NIS to LDAP? Almost all of the online
>>| documentation is old and/or vague, especially with regards to netgroup usage.
>>
>> We're trying the same thing here right now. It appears that the
>> Solaris nss_ldap module uses some kind of mangled query dialect when
>> querying for netgroups that will not work with OpenLDAP, though one
>> supposes it does work under the SunONE Directory Server.
>>
>> PADL.com's nss_ldap doesn't provide support for netgroups under LDAP
>> at all, from comments Luke Howard has made on various mailing lists,
>> so it appears that if you want to get netgroups working on Solaris
>> under LDAP the choices are to license Sun's LDAP server or to tackle
>> the project of adding support for netgroups to PADL's nss_ldap and
>> making sure that all of your clients are running with it.

Just as an follow-up, I finally found that netgroup functionality was not
supported in PADL-based nss_lib until version 207. Specifically, for RedHat,
this bug can be referenced here:

[url]http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=57123[/url]

>> This is incredibly frustrating.. it's 2004, and we're still having to
>> run NIS? Ugh.

>
> Thanks for the response - we are not using Solaris, only Linux and HP-UX, both
> of which are PADL-based.
>
> We are near the limits with netgroup, which is one of the key motivators in
> looking at LDAP, so it really sucks that this isn't a viable option yet.

Kevin

[Kevin Collins]

In article <slrncd3vcb.5dd.spamtotrash@doom.unix-guy.com>, Kevin Collins wrote:

> In article <slrncd3imr.5dd.spamtotrash@doom.unix-guy.com>, Kevin Collins wrote:

>> In article <car0a2$s73@csdsun1.arlut.utexas.edu>, Jonathan Abbey wrote:

>>> In article <slrncd0vkv.vp1.spamtotrash@doom.unix-guy.com>,
>>> Kevin Collins <spamtotrash@toomuchfiction.com> wrote:
>>>| Problem 2)
>>>|
>>>| We make heavy use of netgroup via NIS and so far my testing is showing that
>>>| netgroup use via LDAP is not working. If I try to use "passwd: compat" and
>>>| attempt to login via a user id in a defined netgroup in /etc/passwd, I am
>>>| unable to login and /var/log/messages shows that the system cannot resolve the
>>>| user id. Same thing when I try to use netgroup in a .rhosts file.
>>>|
>>>| I can successfully query all the data for netgroup with "ldapsearch", so I know
>>>| that is not the problem.
>>>|
>>>| Normal authentication and hosts resolution appear to be working fine...
>>>|
>>>| Can anyone shed some light on these issues and share any other issues/concerns
>>>| that have come up when migrating NIS to LDAP? Almost all of the online
>>>| documentation is old and/or vague, especially with regards to netgroup usage.
>>>
>>> We're trying the same thing here right now. It appears that the
>>> Solaris nss_ldap module uses some kind of mangled query dialect when
>>> querying for netgroups that will not work with OpenLDAP, though one
>>> supposes it does work under the SunONE Directory Server.
>>>
>>> PADL.com's nss_ldap doesn't provide support for netgroups under LDAP
>>> at all, from comments Luke Howard has made on various mailing lists,
>>> so it appears that if you want to get netgroups working on Solaris
>>> under LDAP the choices are to license Sun's LDAP server or to tackle
>>> the project of adding support for netgroups to PADL's nss_ldap and
>>> making sure that all of your clients are running with it.

>
> Just as an follow-up, I finally found that netgroup functionality was not
> supported in PADL-based nss_lib until version 207. Specifically, for RedHat,
> this bug can be referenced here:
>
> [url]http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=57123[/url]
>

>>> This is incredibly frustrating.. it's 2004, and we're still having to
>>> run NIS? Ugh.

>>
>> Thanks for the response - we are not using Solaris, only Linux and HP-UX, both
>> of which are PADL-based.
>>
>> We are near the limits with netgroup, which is one of the key motivators in
>> looking at LDAP, so it really sucks that this isn't a viable option yet.

>

Further followup: I have just tried this NIS to LDAP conversion using RedHat
Enterprise Linux 3.0, and the netgroup functionality works fine.

Now I am having trouble querying the mail aliases... Mail seems to be working
fine and aliases are resolved, but we have a few scripts that query NIS mail
aliases via ypmatch. When I attempt to use ldapsearch, I can't match based on a
"cn=...".

Kevin

> Kevin