Hi Ian,
On Thu, 19 Apr 2001, Ian Macdonald wrote:
> Yes, we have that.
> > And you should make sure that you don't have a 'wheel' group listed in
> > /etc/group. This is because NSS doesn't allow you to combine group entries
> > from multiple NSS backends: getgrnam("wheel") will return either the entry
> > from LDAP or the entry from /etc/group, depending on which is specified first
> > in nsswitch.conf.
> Aha! Thanks. I had an empty wheel group in /etc/group, so the LDAP
> look-up was never occurring. If I remove the group, I get the desired
> effect.
> Of course, this presents a security risk, since if I don't list myself
> as a member of group wheel in /etc/group and LDAP goes down for
> whatever reason, I can no longer get root on my systems.
It's a trade-off. It's obviously more convenient if you can configure the
wheel group centrally for all your machines, but it's more reliable if your
machines aren't dependent on the LDAP server. The best answer, IMHO, is to
make sure the LDAP server never goes down -- LDAP supports server
replication, so you should make use of it and set up at least 2 LDAP servers.
Cheers,
Steve Langasek
postmodern programmer
