This is a bit hackish, but you can simply create the group locally and add members to it in /etc/group. The group memberships will be combined with those in LDAP (with some exceptions - see below). The local group IDs should match up with the LDAP groups you are targeting. This assumes that "files" appears in your nss config (nsswitch.conf). Something like this: passwd files ldap group files ldap I cannot be sure whether this method will have side-effects, but for commands like "id" it appears to work correctly. One place where it is obvious is when "getent group" is run. The groups defined locally will appear twice - once with the local members, and again with the LDAP members. The order they appear in seems to be determined by the resolution order in nsswitch.conf. Matthew Wedgwood Sr Systems Administrator University of Texas at Austin (512) 471-3048 > From: Wilhelm Meier <wilhelm.meier@xxxxxxxx> > Reply-To: "wilhelm.meier@xxxxxxxx" <wilhelm.meier@xxxxxxxx>, Pluggable > Authentication Modules <pam-list@xxxxxxxxxx> > Date: Tue, 20 Oct 2009 05:42:54 -0500 > To: Pluggable Authentication Modules <pam-list@xxxxxxxxxx> > Subject: pam_group and nss > > Hi all, > > we are using pam_group in combination to pam_ldap to give users > additional group membership like plugdev. This is ok but not for hald, > since it uses nss to resolve the group membership of a given user. > > What is the best way to provide in a system-wide manner the nss-service > with additional group memberships? (We do not have the change to add the > memberships to the ldap directory ...) > > -- > Wilhelm > > _______________________________________________ > Pam-list mailing list > Pam-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/pam-list
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list