|[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]|
Hi Matthew, thank you for the advice. Wedgwood, Matthew E schrieb:
On many systems, you can simply create the group locally and add members to it in /etc/group. The group memberships will be concatenated with those in LDAP.
Sure, but that's not the full story. The problem isn't the pam-stack at all, it is the other processes on the system like hal or dbus. They must rely on nss to lookup group membership of users, and nss doesn't use pam at all. So if I give the login-process additional memberships (via pam_group) this is for the process-hierarchy of the user and not for the user itself.
I was missing the ability to add group membership to all or some users - sure I don't want to list them all in the /etc/group.
The solution is to install consolekit (at least on a debian-lenny system) which comes with the pam_ck_connector, which does exactly what is needed: looking up groupmembership through pam!
This assumes that "files" appears in your nss config. Something like this:passwd files ldap group files ldapBe sure that the local group IDs match up with the LDAP groups you're targeting.-MatthewOn Oct 20, 2009, at 5:48 AM, "Wilhelm Meier" <wilhelm.meier@xxxxxxxx> wrote:Hi all, we are using pam_group in combination to pam_ldap to give users additional group membership like plugdev. This is ok but not for hald, since it uses nss to resolve the group membership of a given user.What is the best way to provide in a system-wide manner the nss- service with additional group memberships? (We do not have the change to add thememberships to the ldap directory ...) -- Wilhelm _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list_______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
-- Wilhelm _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list