Groups not showing when connect to LDAP

Hi guys, not sure if this is related to TrueNAS or probably other problem. I’m a student and this is coursework, I know probably not practical but teacher requires this.

I use ApacheDS created a LDAP server, using nis schema created posixGroup and posixAccount. When connect TrueNAS to my LDAP server, in the permission page, I can see the LDAP users, but nothing shows in the group. “getent passwd” show users create within LDAP server, but “getent group” return nothing. “groups username” returns username with “can not find name for group ID”.

What’s more, on the same machine, I have openLDAP installed which works fine, both posixAccount and posixGroup shows correctly in TrueNAS. The only difference between the two is openLDAP using port 389 which ApacheDS using 10389. Not sure if that matters.

I did some research, seems all other people’s problem is they can see neither users nor groups, or they can see both. I’m not sure why it only shows users for me but no groups.

When I read more, seems something to do with “nsswitch” settings, but i can still get usernames in the dropdown box? Also if both openLDAP and ApacheDS on the same machine, how can one works fine but another not?

This bothers me for a week now… Please help or give me some insights of how the group works. Thanks in advance.

Not having groups visible (but users are visible) would mean one of two things:

  1. Groups are missing required attributes. posixGroup and gidNumber for example.
  2. GID assigned via gidNumber is not permitted on TrueNAS (less than 1000).

Hi awalkerix,

Thanks for your help.

After some research I first thought it’s the gidNumber problem too, but on the openLDAP server the default gidNumber was 500 and it shows okay, on my own created Apacheds server even i change to 10001 it still doesn’t show.

From Apache Studio i can see attributes for both servers, looks identical to me. Not sure what happened.

Left is open LDAP, right is my Apacheds Server.

Is there any other possible issues?

When in shell I type
ldapsearch -H ldap:// -x -b “dc=group1,dc=com” “objectClass=posixGroup”
It shows above, the 2 groups. But still nothing shows in the permission drop down box….

If nss_ldap isn’t getting the groups then everything else is a non-starter. You can tweak the log level in the LDAP options field in our UI. See syntax for log here: nss-pam-ldapd: nslcd.conf(5) manual page

Do note that LDAP integration may be of only limited utility. It can be used as stand-in for NIS in legacy NFS setups, but you it won’t provide authentication unless you have kerberos components. It will also not provide SMB access.

Generally, if users need full-featured directory services integration we recommend using Active Directory.

One other thing to verify is that correct basedn is set in your LDAP configuration. This will be used as the search base for users and groups.

I was thinking if it’s nss issue, as I changed the nss_ldap for openLDAP but not too sure if ApacheDS using the same file. Could you give me some ideal on nss, is it on the server side or client side?

For the coursework LDAP is enough, I know it’s not ideal in real world but it’s okay for class…

I did put memberUID in and tested, still nothing shows. And in openLDAP even no member in the group it still shows in the dropdown box.

I think I got the conclusion nss is the issue, I will dig more on it.

Thanks for your help!

You shouldn’t have to manually touch any of those files manually if the LDAP server is RFC-compliant.

ApacheDS do support nis schema(rfc2307), but the rfc2307bis doesn’t have “posixGroup” as auxiliary object class. I’m not sure if it’s a version issue. Now I’m trying to creat my own schema to add posixGroup to groupOfNames to see if it’s working, hope so.