[Date Prev][Date Next]
Re: problem about smooth migration from files to ldap
On Mar 12, 2012, at 7:17 PM, huwenfeng wrote:
> Hi all:
> I got a non-technical problem here.
> I have managed to solved the problem of using OpenLDAP to store user and group infomation and successfully logined into Linux Servers using OpenLDAP.
> In the Linux Server, i got LOCAL groups named like `devel` and `www`, and LOCAL users belong to these groups. Through the /etc/sudoers file, I give different groups with different privileges.
> In the OpenLDAP database, i defined my own `devel` and `www` groups. and users in OpenLDAP belongs to their corresponding groups.
> The problem is , if i add ldap into /etc/nsswitch.conf, then only the first pair of (users/groups) get the right privileges from /etc/sudoers. That means, if I put `ldap` before `files`, only the users login through OpenLDAP can use the privileges defined in /etc/sudoers. But if I put `files` before `ldap` in /etc/nsswitch.conf, then only Local (users/gr! oups) pair got the privileges from /etc/sudoer2.
> I got a bad solution here: give different names to groups from OpenLDAP, and define new privileges in /etc/sudoers for these groups. and after migration, delete the old local groups and old sudo privileges. But this seems to be not that good a solution.
> I wonder, what might be the best or right way to migrate from (local user/group) to (ldap user/group) smoothly.
> Any clue or advice will be greatly appreciated.
> Thank you In advance.
nsswitch.conf is not part of openldap software but generally just add 'ldap' to existing entries but if you have questions regarding the behavior of nsswitch, you should probably ask PADL/PAM-LDAP or your distribution.
It's probably not a good idea to duplicate entries (same user) in LDAP & /etc/passwd and can lead to unpredictable behavior. There's nothing that prevents you from adding LDAP users into /etc/group and in a few cases, I do this (primarily for database files and backup).
Respect the division between /etc/passwd (typically system users and groups) and LDAP (active users and groups). Providing you have properly configured pam modules (again, not an OpenLDAP discussion), there shouldn't be a problem with LDAP users & groups in /etc/sudoers.