Re: pam_group and nss

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



By the way, this behavior was observed on a GNU-based system (RHEL 5.4). I
haven't checked whether the same will happen on Solaris (or others).

Matthew Wedgwood
Sr Systems Administrator
University of Texas at Austin
(512) 471-3048



> From: Matthew Wedgwood <mwedgwood@xxxxxxxxxxxxxxxxx>
> Reply-To: Pluggable Authentication Modules <pam-list@xxxxxxxxxx>
> Date: Tue, 20 Oct 2009 09:23:29 -0500
> To: "wilhelm.meier@xxxxxxxx" <wilhelm.meier@xxxxxxxx>, Pluggable
> Authentication Modules <pam-list@xxxxxxxxxx>
> Subject: Re: pam_group and nss
> 
> This is a bit hackish, but you can simply create the group locally and add
> members to it in /etc/group. The group memberships will be combined with
> those in LDAP (with some exceptions - see below). The local group IDs should
> match up with the LDAP groups you are targeting.
> 
> This assumes that "files" appears in your nss config (nsswitch.conf).
> Something like this:
> 
> passwd      files ldap
> group       files ldap
> 
> I cannot be sure whether this method will have side-effects, but for
> commands like "id" it appears to work correctly. One place where it is
> obvious is when "getent group" is run. The groups defined locally will
> appear twice - once with the local members, and again with the LDAP members.
> The order they appear in seems to be determined by the resolution order in
> nsswitch.conf.
> 
> Matthew Wedgwood
> Sr Systems Administrator
> University of Texas at Austin
> (512) 471-3048
> 
> 
> 
>> From: Wilhelm Meier <wilhelm.meier@xxxxxxxx>
>> Reply-To: "wilhelm.meier@xxxxxxxx" <wilhelm.meier@xxxxxxxx>, Pluggable
>> Authentication Modules <pam-list@xxxxxxxxxx>
>> Date: Tue, 20 Oct 2009 05:42:54 -0500
>> To: Pluggable Authentication Modules <pam-list@xxxxxxxxxx>
>> Subject: pam_group and nss
>> 
>> Hi all,
>> 
>> we are using pam_group in combination to pam_ldap to give users
>> additional group membership like plugdev. This is ok but not for hald,
>> since it uses nss to resolve the group membership of a given user.
>> 
>> What is the best way to provide in a system-wide manner the nss-service
>> with additional group memberships? (We do not have the change to add the
>> memberships to the ldap directory ...)
>> 
>> -- 
>> Wilhelm
>> 
>> _______________________________________________
>> Pam-list mailing list
>> Pam-list@xxxxxxxxxx
>> https://www.redhat.com/mailman/listinfo/pam-list

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux