Hi Matthew,
thank you for the advice.
Wedgwood, Matthew E schrieb:
On many systems, you can simply create the group locally and add
members to it in /etc/group. The group memberships will be
concatenated with those in LDAP.
Sure, but that's not the full story. The problem isn't the pam-stack at
all, it is the other processes on the system like hal or dbus. They must
rely on nss to lookup group membership of users, and nss doesn't use pam
at all. So if I give the login-process additional memberships (via
pam_group) this is for the process-hierarchy of the user and not for the
user itself.
I was missing the ability to add group membership to all or some users -
sure I don't want to list them all in the /etc/group.
The solution is to install consolekit (at least on a debian-lenny
system) which comes with the pam_ck_connector, which does exactly what
is needed: looking up groupmembership through pam!
Thanks anyway!
This assumes that "files" appears in your nss config. Something like
this:
passwd files ldap
group files ldap
Be sure that the local group IDs match up with the LDAP groups you're
targeting.
-Matthew
On Oct 20, 2009, at 5:48 AM, "Wilhelm Meier" <wilhelm.meier@xxxxxxxx>
wrote:
Hi all,
we are using pam_group in combination to pam_ldap to give users
additional group membership like plugdev. This is ok but not for hald,
since it uses nss to resolve the group membership of a given user.
What is the best way to provide in a system-wide manner the nss-
service
with additional group memberships? (We do not have the change to add
the
memberships to the ldap directory ...)
--
Wilhelm
_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
--
Wilhelm
_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
