On Mon 16 Apr 2001 at 10:17:23 -0500, you wrote:
> On Sun, 15 Apr 2001, Ian Macdonald wrote:
>
> > However, the effect is not quite the desired one. pam_wheel only
> > consults the local /etc/group file to find users who are allowed to
> > su, whereas I would like an LDAP server to be queried instead.
>
> > This would greatly ease administration, since we could just add or
> > remove a user from the wheel group in LDAP and instantly either
> > empower or emasculate said user across all of our systems.
>
> > We could then also configure other applications to allow only certain
> > users to use them, by having pam_wheel query over LDAP for membership
> > of other groups than just wheel. This would be an extremely powerful
> > feature.
>
> > So, is there any way of getting pam_wheel to go over LDAP for its
> > look-ups?
>
> To do group lookups via LDAP, you should have the following line in
> nsswitch.conf:
>
> group: files ldap
Yes, we have that.
> And you should make sure that you don't have a 'wheel' group listed in
> /etc/group. This is because NSS doesn't allow you to combine group entries
> from multiple NSS backends: getgrnam("wheel") will return either the entry
> from LDAP or the entry from /etc/group, depending on which is specified first
> in nsswitch.conf.
Aha! Thanks. I had an empty wheel group in /etc/group, so the LDAP
look-up was never occurring. If I remove the group, I get the desired
effect.
Of course, this presents a security risk, since if I don't list myself
as a member of group wheel in /etc/group and LDAP goes down for
whatever reason, I can no longer get root on my systems.
Thanks very much for answering my question.
Ian
--
Ian Macdonald | Some men who fear that they are playing
Senior System Administrator | second fiddle aren't in the band at all.
Linuxcare, Inc. |
Support for the Revolution |
|
