check group membership locally and in also in ldap
bloguillard
blog at guillard.nom.fr
Tue Mar 13 16:13:34 UTC 2012
Hello,
I have configure a redhat box to authenticate users over an
openldap server. "Systems" account ( uid > 500 ) are not
created in ldap but are authentified over local password db.
system-auth :
...
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
...
My ldap directory also contains posixgroups.
I noticed that if I configure locally a system account to use
an ldap GID, then the user is properly registered as a member
of this group as well as any other groups it would be member
of locally ( declared in /etc/group ).
But if I declare in local /etc/passwd a local group as being the
primary group for that user, then the user is not registered as being
member of any ldap group it would be "subscribed" to.
QUESTION : is there anyway to configure pam to say that the
user group list includes ldap groups the user is member of
as well as local groups, even if the primary group of that user
is local ?
Thanks
---
Olivier
More information about the Pam-list
mailing list