[Date Prev][Date Next] [Chronological] [Thread] [Top]

LDAP + PAM + NSS with groups local and in LDAP

To: <openldap-technical@openldap.org>
Subject: LDAP + PAM + NSS with groups local and in LDAP
From: "John Kane" <john.kane@prodeasystems.com>
Date: Wed, 18 Feb 2009 11:29:49 -0600
Content-class: urn:content-classes:message
Thread-index: AcmR7n/2BEIbGEs1TUObQMVl/dKlBQ==
Thread-topic: LDAP + PAM + NSS with groups local and in LDAP

I am using LDAP + PAM + NSS on Linux, and am trying to use groups
defined locally as well as in LDAP.  These groups are for (critical)
apps that run on the Linux systems.  I want to define the group locally
as to not have issues when and if LDAP is unavailable.  But to manage
group members, I want to define the same groups (and gids) in LDAP.  

The problem is that the group members cannot 'newgrp' to groups in which
they are members (LDAP defined) if the groups exists locally.

It appears that when the group is defined locally, the server does not
check LDAP for group members. In the following example, user 'tester' is
a member of groups 'postgres' and 'testgrp' (defined in LDAP), and the
group 'testgrp' is also defined locally:

[tester]$ groups
postgres testgrp 

[tester]$ grep testgrp /etc/group
[tester]$ getent group testgrp
testgrp:x:110:tester 

[tester]$ grep postgres /etc/group 
postgres:x:110:
[tester]$ grep postgres /etc/gshadow
postgres:!::
[tester]$ getent group postgres
postgres:x:101:

As you can see, 'getent group' shows 'tester' is NOT a member of
postgres, although 'groups' shows he is.


My /etc/nsswitch.conf has:

passwd:    files ldap
shadow:    files ldap
group:     files ldap



PAM /etc/pam.d/system-auth has:

# testing for groups local and in ldap - 022809
auth        required      /lib/security/$ISA/pam_group.so debug
use_first_pass
#
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
nodelay
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so


And, in LDAP:

[tester]$ ldapsearch -x -b 'ou=groups,o=partner_x,dc=example,dc=net'
'cn=postgres'
# extended LDIF
#
# LDAPv3
# base <ou=groups,o=partner_x,dc= example,dc=net> with scope subtree
# filter: cn=postgres
# requesting: ALL
#

# postgres, groups, partner_x, example.net
dn: cn=postgres,ou=groups,o=partner_x,dc=example,dc=net
objectClass: top
objectClass: posixGroup
cn:: cG9zdGdyZXMg
gidNumber: 110
memberUid: tester
description: Postgres DB Group


Thanks in advance for any help.

John







This message is confidential to Prodea Systems, Inc unless otherwise indicated 
or apparent from its nature. This message is directed to the intended recipient 
only, who may be readily determined by the sender of this message and its 
contents. If the reader of this message is not the intended recipient, or an 
employee or agent responsible for delivering this message to the intended 
recipient:(a)any dissemination or copying of this message is strictly 
prohibited; and(b)immediately notify the sender by return message and destroy 
any copies of this message in any form(electronic, paper or otherwise) that you 
have.The delivery of this message and its information is neither intended to be 
nor constitutes a disclosure or waiver of any trade secrets, intellectual 
property, attorney work product, or attorney-client communications. The 
authority of the individual sending this message to legally bind Prodea Systems  
is neither apparent nor implied,and must be independently verified.

Prev by Date: Re: password encryption question
Next by Date: RE: Usermod problems with ldap
Index(es):
- Chronological
- Thread