check group membership locally and in also in ldap
bloguillard
blog at guillard.nom.fr
Tue Mar 13 16:38:45 UTC 2012
Note :
To clarify what I try to do :
I try to create an ldap "sysgroup" posixgroup entry whose usual
(and unusual) "sysaccounts" would be member of to be able
grant to the members of that "sysgroup" specific rights ( declared
in security/access.conf).
I'm also open to suggestions :-)
--
Olivier
2012/3/13 bloguillard <blog at guillard.nom.fr>:
> Hello,
>
> I have configure a redhat box to authenticate users over an
> openldap server. "Systems" account ( uid > 500 ) are not
> created in ldap but are authentified over local password db.
>
> system-auth :
> ...
> auth required pam_env.so
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 500 quiet
> auth sufficient pam_sss.so use_first_pass
> auth required pam_deny.so
> ...
>
> My ldap directory also contains posixgroups.
>
> I noticed that if I configure locally a system account to use
> an ldap GID, then the user is properly registered as a member
> of this group as well as any other groups it would be member
> of locally ( declared in /etc/group ).
>
> But if I declare in local /etc/passwd a local group as being the
> primary group for that user, then the user is not registered as being
> member of any ldap group it would be "subscribed" to.
>
> QUESTION : is there anyway to configure pam to say that the
> user group list includes ldap groups the user is member of
> as well as local groups, even if the primary group of that user
> is local ?
>
> Thanks
>
> ---
> Olivier
More information about the Pam-list
mailing list