By the way, this behavior was observed on a GNU-based system (RHEL 5.4). I haven't checked whether the same will happen on Solaris (or others). Matthew Wedgwood Sr Systems Administrator University of Texas at Austin (512) 471-3048 > From: Matthew Wedgwood <mwedgwood@xxxxxxxxxxxxxxxxx> > Reply-To: Pluggable Authentication Modules <pam-list@xxxxxxxxxx> > Date: Tue, 20 Oct 2009 09:23:29 -0500 > To: "wilhelm.meier@xxxxxxxx" <wilhelm.meier@xxxxxxxx>, Pluggable > Authentication Modules <pam-list@xxxxxxxxxx> > Subject: Re: pam_group and nss > > This is a bit hackish, but you can simply create the group locally and add > members to it in /etc/group. The group memberships will be combined with > those in LDAP (with some exceptions - see below). The local group IDs should > match up with the LDAP groups you are targeting. > > This assumes that "files" appears in your nss config (nsswitch.conf). > Something like this: > > passwd files ldap > group files ldap > > I cannot be sure whether this method will have side-effects, but for > commands like "id" it appears to work correctly. One place where it is > obvious is when "getent group" is run. The groups defined locally will > appear twice - once with the local members, and again with the LDAP members. > The order they appear in seems to be determined by the resolution order in > nsswitch.conf. > > Matthew Wedgwood > Sr Systems Administrator > University of Texas at Austin > (512) 471-3048 > > > >> From: Wilhelm Meier <wilhelm.meier@xxxxxxxx> >> Reply-To: "wilhelm.meier@xxxxxxxx" <wilhelm.meier@xxxxxxxx>, Pluggable >> Authentication Modules <pam-list@xxxxxxxxxx> >> Date: Tue, 20 Oct 2009 05:42:54 -0500 >> To: Pluggable Authentication Modules <pam-list@xxxxxxxxxx> >> Subject: pam_group and nss >> >> Hi all, >> >> we are using pam_group in combination to pam_ldap to give users >> additional group membership like plugdev. This is ok but not for hald, >> since it uses nss to resolve the group membership of a given user. >> >> What is the best way to provide in a system-wide manner the nss-service >> with additional group memberships? (We do not have the change to add the >> memberships to the ldap directory ...) >> >> -- >> Wilhelm >> >> _______________________________________________ >> Pam-list mailing list >> Pam-list@xxxxxxxxxx >> https://www.redhat.com/mailman/listinfo/pam-list
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
