We use openldap 2.3 on Red Hat Enterprise Linux ES release 4 (Nahant Update 3).
The user's primary group is stored in the gid attribute in their entry, but additional group memberships are configured by adding a memberUID with the user's username to the posixGroup entry for the group.
When the user logs in they authenticate against OpenLdap correctly, but the only group information that seems to follow them to the server is the gid listed in their user entry. Our client servers run RH ES 3 or 4.
I've been fighting this for quite a while now, I've been reading this list and the archives as well as online docs.
/etc/pam.d/login #%PAM-1.0 auth required pam_securetty.so auth required pam_stack.so service=system-auth auth required pam_nologin.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth session optional pam_console.so /etc/pam.d/passwd #%PAM-1.0 auth required pam_stack.so service=system-auth account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth Our clients ldap.conf host 172.30.3.X # The distinguished name of the search base. base ou=People,dc=ourname,dc=com sudoers_base ou=People,dc=ourname,dc=com uri ldap://172.30.3.X/ binddn cn=Manager,dc=ourname,dc=com bindpw ourtopsecretpassword # Group to enforce membership of #pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com # Group member attribute #psecretam_member_attribute uniquemember pam_password md5 ssl no #end ldap.con Thank you, -John B -- John D. Beck, CCNA, RSA CSA & CSIE, Sys Admin / Security Engineer Global Science and Technology (GST) jbeck@xxxxxxxxxxx Phone: 202.479.9030 #427
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
