# nss_ldap: id shows only primary group



## reinhard (Mar 19, 2014)

Hello!

FreeBSD 10.0-RELEASE, nss_ldap-1.265_9
/etc/nsswitch.conf

```
group: files ldap
hosts: files dns
networks: files
passwd: files ldap
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
```

/usr/local/etc/ldap.conf
/usr/local/etc/nss_ldap.conf

```
base dc=helmi,dc=ru
uri ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://127.0.0.1/ 
ldap_version 3
nss_base_group  ou=Groups,dc=helmi,dc=ru?one
nss_base_passwd ou=People,dc=helmi,dc=ru?one
nss_base_passwd ou=Computers,dc=helmi,dc=ru?one
nss_base_shadow ou=People,dc=helmi,dc=ru?one
port 389
scope one
timelimit 30
bind_policy soft
nss_connect_policy persist
idle_timelimit 3600
```


/usr/local/etc/openldap/slapd.conf

```
include		/usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/misc.schema
include         /usr/local/etc/openldap/schema/nis.schema
include         /usr/local/etc/openldap/schema/openldap.schema
include         /usr/local/etc/openldap/schema/samba.schema
pidfile		/var/run/openldap/slapd.pid
argsfile	/var/run/openldap/slapd.args
modulepath	/usr/local/libexec/openldap
moduleload	back_bdb
database	bdb
suffix          "dc=helmi,dc=ru"
rootdn          "cn=Manager,dc=helmi,dc=ru"
rootpw          secret
directory	/var/db/openldap-data
index	objectClass	eq
index   cn              pres,sub,eq
index   sn              pres,sub,eq
index   uid             pres,sub,eq
index   displayName     pres,sub,eq
index   uidNumber               eq
index   gidNumber               eq
index   memberUID               eq
index   sambaSID                eq
index   sambaPrimaryGroupSID    eq
index   sambaDomainName         eq
index   default                 sub
syncrepl rid=000 
  provider=ldap://192.168.1.210
  type=refreshAndPersist
  retry="5 5 300 +" 
  searchbase="dc=helmi,dc=ru"
  attrs="*,+"
  bindmethod=simple
  binddn="uid=replicator,ou=People,dc=helmi,dc=ru"
  credentials=secret
```

`getent group` works ok:

```
root@orkgw:/usr/local/etc # getent group bit
bit:*:1007:bit5,bit7,evil,bbs,org3,bit3,bit9,bit11,bit2,bit4,org2,bit8,bit2a,bit1,bit6,bit40,smiler,kta,bit12,alex,bit20,bit10,van,bitdirek
```

but `id` only shows primary group:

```
root@orkgw:/usr/local/etc # id bit5
uid=1006(bit5) gid=1002(helmi) groups=1002(helmi)
```

I've found http://lists.freebsd.org/pipermail/freebsd-stable/2010-February/055424.html but uncommenting line #nss_map_attribute
uniqueMember member' does not help me. On FreeBSD 9.1-RELEASE with the same LDAP databse (master replica) `id` works OK.
Any suggestions?


----------



## SirDice (Mar 19, 2014)

Did you check for the presence of a local account named @bit5, or a local group named @bit? The nsswitch.conf says to look there first. It may have been accidentally created?


----------



## reinhard (Mar 20, 2014)

SirDice said:
			
		

> Did you check for the presence of a local account named @bit5, or a local group named @bit? The nsswitch.conf says to look there first. It may have been accidentally created?



There is no @bit5 account and no @bit group in local files:
/etc/passwd

```
root:*:0:0:Charlie &:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin
news:*:8:8:News Subsystem:/:/usr/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
unbound:*:59:59:Unbound DNS Resolver:/var/unbound:/usr/sbin/nologin
proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
auditdistd:*:78:77:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologin
www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
alex:*:1001:1001:Alex:/home/alex:/usr/local/bin/bash
ldap:*:389:389:OpenLDAP Server:/nonexistent:/usr/sbin/nologin
```

/etc/group

```
wheel:*:0:root,alex
daemon:*:1:
kmem:*:2:
sys:*:3:
tty:*:4:
operator:*:5:root
mail:*:6:
bin:*:7:
news:*:8:
man:*:9:
games:*:13:
ftp:*:14:
staff:*:20:
sshd:*:22:
smmsp:*:25:
mailnull:*:26:
guest:*:31:
bind:*:53:
unbound:*:59:
proxy:*:62:
authpf:*:63:
_pflogd:*:64:
_dhcp:*:65:
uucp:*:66:
dialer:*:68:
network:*:69:
audit:*:77:
www:*:80:
hast:*:845:
nogroup:*:65533:
nobody:*:65534:
alex:*:1001:
ldap:*:389:
```


----------

