[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: What will happen if a user is a member of a group, but has another group as its primary group



On 08/01/12 22:21 +0800, Qian Zhang wrote:
Hi,

In my OpenLDAP server, it is possible to set a user as a member of a
group, but it has another group as its primary group (I am using "LDAP
Admin" as LDAP client tool). For example, in group1, I can see user1
as its "memberUid" attribute, but the "gidNumber" attribute of user1
is group2.

I'd like to know if this is a reasonable configuration, and in this
case, should I consider user1 as the member of group2 too? For
example, if I configure a machine to only allow gruop2 to login, can
user1 log into that machine?

BTW, I do not know how to configure PAM to only allow a group or some
groups to login the machine, if anyone can tell me the steps, it will
be really appreciated!

Yes. That's known to work.

The gidNumber should define the user's primary group. Otherwise, group
membership (memberUID) attributes will define group membership as well.
From your application's perspective, since it makes system
getpwent/getgrent calls, there should be little difference between your
described scenario and:

/etc/passwd:
user1:x:<uidNumber>:<gidNumber>:.....

/etc/group:
<group1>:x:<other_gidNumber>:user1

The function of mapping your LDAP groups to system groups is dependant on
installing an nss ldap plugin, but this should be basic functionality among
all of them.

Be aware that installing an nss ldap plugin to resolve group membership
*can* be very resource intensive, since each call to getgrouplist(3), such
as when ssh'ing into the host, can result in your entire ldap group OU
being iterated over. Appropriate indexing and caching is critical.

--
Dan White