Re: pam_group and nss

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


This is a bit hackish, but you can simply create the group locally and add
members to it in /etc/group. The group memberships will be combined with
those in LDAP (with some exceptions - see below). The local group IDs should
match up with the LDAP groups you are targeting.

This assumes that "files" appears in your nss config (nsswitch.conf).
Something like this:

passwd      files ldap
group       files ldap

I cannot be sure whether this method will have side-effects, but for
commands like "id" it appears to work correctly. One place where it is
obvious is when "getent group" is run. The groups defined locally will
appear twice - once with the local members, and again with the LDAP members.
The order they appear in seems to be determined by the resolution order in

Matthew Wedgwood
Sr Systems Administrator
University of Texas at Austin
(512) 471-3048

> From: Wilhelm Meier <wilhelm.meier@xxxxxxxx>
> Reply-To: "wilhelm.meier@xxxxxxxx" <wilhelm.meier@xxxxxxxx>, Pluggable
> Authentication Modules <pam-list@xxxxxxxxxx>
> Date: Tue, 20 Oct 2009 05:42:54 -0500
> To: Pluggable Authentication Modules <pam-list@xxxxxxxxxx>
> Subject: pam_group and nss
> Hi all,
> we are using pam_group in combination to pam_ldap to give users
> additional group membership like plugdev. This is ok but not for hald,
> since it uses nss to resolve the group membership of a given user.
> What is the best way to provide in a system-wide manner the nss-service
> with additional group memberships? (We do not have the change to add the
> memberships to the ldap directory ...)
> -- 
> Wilhelm
> _______________________________________________
> Pam-list mailing list
> Pam-list@xxxxxxxxxx

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Pam-list mailing list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux