[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP groups and Unix users

To: openldap-technical@openldap.org
Subject: Re: OpenLDAP groups and Unix users
From: Buchan Milne <bgmilne@staff.telkomsa.net>
Date: Tue, 14 Apr 2009 13:21:54 +0200
Cc: Stephen Parry <sgparry@mainscreen.com>
Content-disposition: inline
In-reply-to: <2A02B683D84C4CAC884DE7D2CDB52517@MAINSCREEN4>
References: <2A02B683D84C4CAC884DE7D2CDB52517@MAINSCREEN4>
User-agent: KMail/1.11.2 (Linux/2.6.29-desktop-1mnb; KDE/4.2.2; x86_64; ; )

On Sunday 12 April 2009 16:49:40 Stephen Parry wrote:
> Thanks in advance for any answers to this query, and thanks to the geniuses
> who wrote and maintain OpenLDAP.
>
> I have OpenLDAP running on my Ubuntu Intrepid server. I have installed the
> various PAM and NSS bits and pieces to allow integrated authentication.

It may be useful to specify the actual software names, as Debain/Ubuntu AFAIK 
ships two different nss plugins for LDAP.

> I
> can now use users and groups stored in LDAP database to do shell logins,
> permission files and authenticate Apache secure connections (hooray!). It
> also is set up so that Unix user accounts and groups still function outside
> of LDAP as expected.
>
> However, there is one quirk to this. I can make LDAP users members of Unix
> groups and this works fine.

Users defined in LDAP can still be Unix groups. I think it is more precise to 
refer to users defined in the local files as "local users".

> I cannot however do the equivalent: make Unix
> users working members of LDAP groups. I can put them in the groups, but the
> the system command "id -nG" does not list the LDAP groups and the
> filesystem fails to pick up the permissions.

Works here. Are you using nscd? If so, have you invalidated its cache (or 
tested without nscd running)?

Did you really only use 'id -nG'  (which uses the group memberships of the 
currently running process), or did you use 'id -nG $USER' (which does a new 
lookup)? You should start a new shell/login after changing the groups of a 
user (whether it is defined locally, or remotely).

Have you (or some tool, or some defaults) previously configured nss_ldap 
(assuming you're using it) to not lookup groups in LDAP for the user in 
question? It may be useful to post your nss_ldap ldap.conf

> Is this behaviour by design?

No.

> Can the relevant modules be configured to
> allow LDAP groups have Unix users as members?

Users and groups in LDAP *are* Unix groups ... there are some things that 
don't work by default, but this case should.

Regards,
Buchan

References:
- OpenLDAP groups and Unix users
  - From: "Stephen Parry" <sgparry@mainscreen.com>

Prev by Date: Re: group of groups
Next by Date: Re: group of groups
Index(es):
- Chronological
- Thread