pam_group and nss
Wilhelm Meier
wilhelm.meier at fh-kl.de
Tue Oct 20 18:20:47 UTC 2009
Hi Matthew,
thank you for the advice.
Wedgwood, Matthew E schrieb:
> On many systems, you can simply create the group locally and add
> members to it in /etc/group. The group memberships will be
> concatenated with those in LDAP.
Sure, but that's not the full story. The problem isn't the pam-stack at
all, it is the other processes on the system like hal or dbus. They must
rely on nss to lookup group membership of users, and nss doesn't use pam
at all. So if I give the login-process additional memberships (via
pam_group) this is for the process-hierarchy of the user and not for the
user itself.
I was missing the ability to add group membership to all or some users -
sure I don't want to list them all in the /etc/group.
The solution is to install consolekit (at least on a debian-lenny
system) which comes with the pam_ck_connector, which does exactly what
is needed: looking up groupmembership through pam!
Thanks anyway!
>
> This assumes that "files" appears in your nss config. Something like
> this:
>
> passwd files ldap
> group files ldap
>
> Be sure that the local group IDs match up with the LDAP groups you're
> targeting.
>
> -Matthew
>
> On Oct 20, 2009, at 5:48 AM, "Wilhelm Meier" <wilhelm.meier at fh-kl.de>
> wrote:
>
>> Hi all,
>>
>> we are using pam_group in combination to pam_ldap to give users
>> additional group membership like plugdev. This is ok but not for hald,
>> since it uses nss to resolve the group membership of a given user.
>>
>> What is the best way to provide in a system-wide manner the nss-
>> service
>> with additional group memberships? (We do not have the change to add
>> the
>> memberships to the ldap directory ...)
>>
>> --
>> Wilhelm
>>
>> _______________________________________________
>> Pam-list mailing list
>> Pam-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/pam-list
>
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
--
Wilhelm
More information about the Pam-list
mailing list