Thanks Dan,

That is working much better now...

However I still have two group showing and not sure what determines which group entry will be honoured. At the moment the ldap group settings is honoured but not sure if that would always be the case. nsswitch is set to files ldap so by that logic it should not work... as in if files are queried first then it should show that I am not a member of adm unless the OS just assumes 4 is 4 regardless of the source.

Just to clarify how I am testing:

If my user is part of the adm user in Ubuntu it can less log files if not then it can't less log files. Adding myself to an ldap based adm group gives me the abillity to access the log files but as said above this does not seem to correlate with what nsswitch is configured to do.

My user has another primary group so I am unable to specify the gid as 4.

So my question really is which group would get preference to specify membership and how/where is that determined?

Another alternative is to use /etc/security/groups.conf but a note in the default config file recommends against it... so that would be a last resort to determine group membership upon login.

Regards

On 14 March 2013 13:45, Dan White <dwhite@olp.net> wrote:

On 03/14/13 12:52 +0000, Gerhardus Geldenhuis wrote:

Hi
Admittedly this is slightly OT but I were hoping someone could point me in
the right direction.

I want to be able to grant LDAP users group membership to local groups on a
Ubuntu box. For example the adm group.

How would I go about doing this?

As a very quick test I created a adm group in ldap but it is not having the
desired effect. Output from getent group | grep arm

adm:x:4:
adm:*:4:uid=ggeldenhuis,ou=People,dc=example,dc=com

The first adm group is the local file group and the second my ldap group.

Am I going about this in the wrong way... ?

You apparently have this in your ldap tree:

memberUid: uid=ggeldenhuis,ou=People,dc=example,dc=com

for your adm group. Instead, that should be:

memberUid: ggeldenhuis

Regardless, your group names and guids *should* be unique to the system.
You could remove the entry that's located in /etc/group or, instead of
creating an ldap adm group, you could specify a gidNumber of 4 for
uid=ggeldenhuis, which will place the user in the group - 'groups
ggeldenhuis' should then report the user as a member of adm.

--
Dan White

--
Gerhardus Geldenhuis