pam_group and nss

Wilhelm Meier wilhelm.meier at fh-kl.de
Tue Oct 20 18:20:47 UTC 2009 

Hi Matthew,

thank you for the advice.

Wedgwood, Matthew E schrieb:
> On many systems, you can simply create the group locally and add  
> members to it in /etc/group. The group memberships will be  
> concatenated with those in LDAP.

Sure, but that's not the full story. The problem isn't the pam-stack at 
all, it is the other processes on the system like hal or dbus. They must 
rely on nss to lookup group membership of users, and nss doesn't use pam 
at all.  So if I give the login-process additional memberships (via 
pam_group) this is for the process-hierarchy of the user and not for the 
user itself.

I was missing the ability to add group membership to all or some users - 
sure I don't want to list them all in the /etc/group.

The solution is to install consolekit (at least on a debian-lenny 
system) which comes with the pam_ck_connector, which does exactly what 
is needed: looking up groupmembership through pam!

Thanks anyway!

> 
> This assumes that "files" appears in your nss config. Something like  
> this:
> 
> passwd      files ldap
> group       files ldap
> 
> Be sure that the local group IDs match up with the LDAP groups you're  
> targeting.
> 
> -Matthew
> 
> On Oct 20, 2009, at 5:48 AM, "Wilhelm Meier" <wilhelm.meier at fh-kl.de>  
> wrote:
> 
>> Hi all,
>>
>> we are using pam_group in combination to pam_ldap to give users
>> additional group membership like plugdev. This is ok but not for hald,
>> since it uses nss to resolve the group membership of a given user.
>>
>> What is the best way to provide in a system-wide manner the nss- 
>> service
>> with additional group memberships? (We do not have the change to add  
>> the
>> memberships to the ldap directory ...)
>>
>> -- 
>> Wilhelm
>>
>> _______________________________________________
>> Pam-list mailing list
>> Pam-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/pam-list
> 
> 
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list

-- 
Wilhelm

More information about the Pam-list mailing list