headers
bloguillard | 13 Mar 2012 17:13
Picon

check group membership locally and in also in ldap

Hello,

I have configure a redhat box to authenticate users over an
openldap server. "Systems" account ( uid > 500 ) are not
created in ldap but are authentified over local password db.

system-auth :
...
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so
...

My ldap directory also contains posixgroups.

I noticed that if I configure locally a system account to use
an ldap GID, then the user is properly registered as a member
of this group as well as any other groups it would be member
of locally ( declared in /etc/group ).

But if I declare in local /etc/passwd a local group as being the
primary group for that user, then the user is not registered as being
member of any ldap group it would be "subscribed" to.

QUESTION : is there anyway to configure pam to say that the
user group list includes ldap groups the user is member of
as well as local groups, even if the primary group of that user
is local ?
(Continue reading)

Permalink | Reply |
headers
Stef Bon | 13 Mar 2012 17:37
Picon

Re: check group membership locally and in also in ldap

Isn't this a nss question, and not PAM?

Stef

2012/3/13 bloguillard <blog <at> guillard.nom.fr>:
> Hello,
>
> I have configure a redhat box to authenticate users over an
> openldap server. "Systems" account ( uid > 500 ) are not
> created in ldap but are authentified over local password db.
>
> system-auth :
> ...
> auth        required      pam_env.so
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 500 quiet
> auth        sufficient    pam_sss.so use_first_pass
> auth        required      pam_deny.so
> ...
>
> My ldap directory also contains posixgroups.
>
> I noticed that if I configure locally a system account to use
> an ldap GID, then the user is properly registered as a member
> of this group as well as any other groups it would be member
> of locally ( declared in /etc/group ).
>
> But if I declare in local /etc/passwd a local group as being the
> primary group for that user, then the user is not registered as being
> member of any ldap group it would be "subscribed" to.
(Continue reading)

Permalink | Reply |
headers
bloguillard | 13 Mar 2012 20:49
Picon

Re: check group membership locally and in also in ldap

Ooops : you are right.

I have written in nsswitch.conf :

group:    sss files

instead of

group:    files sss

And I obtain ( more or less) what I want.

Thanks !

---
Olivier

2012/3/13 Stef Bon :
> Isn't this a nss question, and not PAM?
>
> Stef
>
> 2012/3/13 bloguillard <blog <at> guillard.nom.fr>:
>> Hello,
>>
>> I have configure a redhat box to authenticate users over an
>> openldap server. "Systems" account ( uid > 500 ) are not
>> created in ldap but are authentified over local password db.
>>
>> system-auth :
(Continue reading)

Permalink | Reply |

Gmane