[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: What will happen if a user is a member of a group, but has another group as its primary group

On 08/03/12 09:13 +0800, Qian Zhang wrote:
If your applications use getgrouplist(3), then you can't just ignore the
gidNumber (see the manpage for details) from the passwd database, but you
could change the gidNumber to match the secondary group if you're not
concerned about the default gidNumber.

If your applications are PAM aware, then you have more flexibility in how
your users are authenticated, and may not need to depend on an ldap nss
configuration and the gidNumber attribute.

One of use cases in my application is, OpenLDAP client will be
installed in machines, and for each machine, it will be configured
(with PAM) to only allow a specific LDAP group to login it. In this
case, I am not sure if I need to care about gidNumber attribute or
not, i.e., in my previous example, can user1 log into the machine
which has been configured to only allow group2 to login?

If you were to use nssov, which is distributed in the contrib directory of
OpenLDAP, then you could configure 'nssov-pam usergroup [...]' to
accomplish that, which can sidestep posixGroup/gidNumber semantics
altogether. See the slapo-nssov manpage for details.

There are other ldap pam modules to choose from, distributed by other
vendors, with their own solutions to this problem.

Dan White