pam_group and nss

Wedgwood, Matthew E mwedgwood at austin.utexas.edu
Tue Oct 20 14:23:29 UTC 2009 

This is a bit hackish, but you can simply create the group locally and add
members to it in /etc/group. The group memberships will be combined with
those in LDAP (with some exceptions - see below). The local group IDs should
match up with the LDAP groups you are targeting.

This assumes that "files" appears in your nss config (nsswitch.conf).
Something like this:

passwd      files ldap
group       files ldap

I cannot be sure whether this method will have side-effects, but for
commands like "id" it appears to work correctly. One place where it is
obvious is when "getent group" is run. The groups defined locally will
appear twice - once with the local members, and again with the LDAP members.
The order they appear in seems to be determined by the resolution order in
nsswitch.conf.

Matthew Wedgwood
Sr Systems Administrator
University of Texas at Austin
(512) 471-3048



> From: Wilhelm Meier <wilhelm.meier at fh-kl.de>
> Reply-To: "wilhelm.meier at fh-kl.de" <wilhelm.meier at fh-kl.de>, Pluggable
> Authentication Modules <pam-list at redhat.com>
> Date: Tue, 20 Oct 2009 05:42:54 -0500
> To: Pluggable Authentication Modules <pam-list at redhat.com>
> Subject: pam_group and nss
> 
> Hi all,
> 
> we are using pam_group in combination to pam_ldap to give users
> additional group membership like plugdev. This is ok but not for hald,
> since it uses nss to resolve the group membership of a given user.
> 
> What is the best way to provide in a system-wide manner the nss-service
> with additional group memberships? (We do not have the change to add the
> memberships to the ldap directory ...)
> 
> -- 
> Wilhelm
> 
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4125 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pam-list/attachments/20091020/e7d39688/attachment.p7s>

More information about the Pam-list mailing list