Re: check group membership locally and in also in ldap

bloguillard <blog@xxxxxxxxxxxxxxx> · Tue, 13 Mar 2012 17:38:45 +0100

Note :

To clarify what I try to do :

I try to create an ldap "sysgroup" posixgroup entry whose usual
(and unusual) "sysaccounts" would be member of to be able
grant to the members of that "sysgroup" specific rights ( declared
in security/access.conf).

I'm also open to suggestions :-)

--
Olivier

2012/3/13 bloguillard <blog@xxxxxxxxxxxxxxx>:
> Hello,
>
> I have configure a redhat box to authenticate users over an
> openldap server. "Systems" account ( uid > 500 ) are not
> created in ldap but are authentified over local password db.
>
> system-auth :
> ...
> auth        required      pam_env.so
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 500 quiet
> auth        sufficient    pam_sss.so use_first_pass
> auth        required      pam_deny.so
> ...
>
> My ldap directory also contains posixgroups.
>
> I noticed that if I configure locally a system account to use
> an ldap GID, then the user is properly registered as a member
> of this group as well as any other groups it would be member
> of locally ( declared in /etc/group ).
>
> But if I declare in local /etc/passwd a local group as being the
> primary group for that user, then the user is not registered as being
> member of any ldap group it would be "subscribed" to.
>
> QUESTION : is there anyway to configure pam to say that the
> user group list includes ldap groups the user is member of
> as well as local groups, even if the primary group of that user
> is local ?
>
> Thanks
>
> ---
> Olivier

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list