[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: is it possible to make pam_wheel query an LDAP server?



On Mon 16 Apr 2001 at 10:17:23 -0500, you wrote:

> On Sun, 15 Apr 2001, Ian Macdonald wrote:
> 
> > However, the effect is not quite the desired one. pam_wheel only
> > consults the local /etc/group file to find users who are allowed to
> > su, whereas I would like an LDAP server to be queried instead.
> 
> > This would greatly ease administration, since we could just add or
> > remove a user from the wheel group in LDAP and instantly either
> > empower or emasculate said user across all of our systems.
> 
> > We could then also configure other applications to allow only certain
> > users to use them, by having pam_wheel query over LDAP for membership
> > of other groups than just wheel. This would be an extremely powerful
> > feature.
> 
> > So, is there any way of getting pam_wheel to go over LDAP for its
> > look-ups?
> 
> To do group lookups via LDAP, you should have the following line in
> nsswitch.conf:
> 
> group:      files ldap

Yes, we have that.

> And you should make sure that you don't have a 'wheel' group listed in
> /etc/group.  This is because NSS doesn't allow you to combine group entries
> from multiple NSS backends: getgrnam("wheel") will return either the entry
> from LDAP or the entry from /etc/group, depending on which is specified first
> in nsswitch.conf.

Aha! Thanks. I had an empty wheel group in /etc/group, so the LDAP
look-up was never occurring. If I remove the group, I get the desired
effect.

Of course, this presents a security risk, since if I don't list myself
as a member of group wheel in /etc/group and LDAP goes down for
whatever reason, I can no longer get root on my systems.

Thanks very much for answering my question.

Ian
-- 
Ian Macdonald               | Some men who fear that they are playing
Senior System Administrator | second fiddle aren't in the band at all. 
Linuxcare, Inc.             | 
Support for the Revolution  | 
                            | 





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []