On 03/14/13 15:02 +0000, Gerhardus Geldenhuis wrote:Think of libnss as a database which returns entries. getgrent(3), and
Thanks Dan,
That is working much better now...
However I still have two group showing and not sure what determines which
group entry will be honoured. At the moment the ldap group settings is
honoured but not sure if that would always be the case. nsswitch is set to
files ldap so by that logic it should not work... as in if files are
queried first then it should show that I am not a member of adm unless the
OS just assumes 4 is 4 regardless of the source.
related system calls, makes use of that data without regard to the source
of the information.
If 'getent group' is returning two entries for a given name, that is
equivalent two sticking 'adm' into /etc/group twice, which is a bad idea,
and may lead to ambiguous scenarios. Even though things may seem to work in
spite of that, different applications may treat that data differently now
or in the future.
I recommend:
1) removing adm from /etc/group
OR
2) simply adding your ldap user (ggeldenhuis) to the adm entry in
/etc/group
Just to clarify how I am testing:
If my user is part of the adm user in Ubuntu it can less log files if not
then it can't less log files. Adding myself to an ldap based adm group
gives me the abillity to access the log files but as said above this does
not seem to correlate with what nsswitch is configured to do.
My user has another primary group so I am unable to specify the gid as 4.
So my question really is which group would get preference to specify
membership and how/where is that determined?
Another alternative is to use /etc/security/groups.conf but a note in the
default config file recommends against it... so that would be a last resort
to determine group membership upon login.
Regards
On 14 March 2013 13:45, Dan White <dwhite@olp.net> wrote:
On 03/14/13 12:52 +0000, Gerhardus Geldenhuis wrote:
Hiadm:*:4:uid=ggeldenhuis,ou=**People,dc=example,dc=com
Admittedly this is slightly OT but I were hoping someone could point me in
the right direction.
I want to be able to grant LDAP users group membership to local groups
on a Ubuntu box. For example the adm group.
How would I go about doing this?
As a very quick test I created a adm group in ldap but it is not having
the desired effect. Output from getent group | grep arm
adm:x:4:
The first adm group is the local file group and the second my ldap group.
Am I going about this in the wrong way... ?
memberUid: uid=ggeldenhuis,ou=People,dc=**example,dc=com
You apparently have this in your ldap tree:
for your adm group. Instead, that should be:
memberUid: ggeldenhuis
Regardless, your group names and guids *should* be unique to the system.
You could remove the entry that's located in /etc/group or, instead of
creating an ldap adm group, you could specify a gidNumber of 4 for
uid=ggeldenhuis, which will place the user in the group - 'groups
ggeldenhuis' should then report the user as a member of adm.
--
Dan White