I have a CentOS system where authentication over the SSH interface is delegated to an OpenLDAP server by means of PAM. This works fine. However, when the authentication succeeds, I would like for the OpenLDAP server to send back group information as well to the CentOS system. That is, the OpenLDAP server should send back a list of groups that the authenticated user will belong to when a shell is created for it in the CentOS box. This information should supersede what groups information local to the CentOS box.
I have an LDAP schema in the OpenLDAP server system that almost achieves what I want - but not quite. In the CentOS system I currently have a file named mysite.ldif with the following contents:
# extended LDIF
#
# LDAPv3
# base <dc=mysite,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# mysite.com
dn: dc=mysite,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: MySite
dc: mysite
# People, mysite.com
dn: ou=People,dc=mysite,dc=com
ou: People
objectClass: organizationalUnit
# Group, mysite.com
dn: ou=Group,dc=mysite,dc=com
ou: Group
objectClass: organizationalUnit
# firstgroup, Group, mysite.com
dn: cn=firstgroup,ou=Group,dc=mysite,dc=com
objectClass: posixGroup
objectClass: top
cn: onegroup
userPassword:: e2NyeXB0fXg=
gidNumber: 1001
memberUid: FirstUser
memberUid: SecondUser
# secondgroup, Group, mysite.com
dn: cn=secondgroup,ou=Group,dc=mysite,dc=com
objectClass: posixGroup
objectClass: top
cn: twogroup
userPassword:: e2NyeXB0fXg=
gidNumber: 1002
memberUid: FirstUser
# FirstUser, People, mysite.com
dn: uid=FirstUser,ou=People,dc=mysite,dc=com
uid: FirstUser
cn: FirstUser
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowLastChange: 14250
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1014
gidNumber: 1014
homeDirectory: /home/FirstUser
gecos: ,,,
userPassword:: TXlQYXNzd29yZAo=
# SecondUser, People, mysite.com
dn: uid=SecondUser,ou=People,dc=mysite,dc=com
uid: SecondUser
cn: SecondUser
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowLastChange: 14002
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1005
gidNumber: 1005
homeDirectory: /home/SecondUser
gecos: ,,,
userPassword:: T3RoZXJQYXNzd29yZAo=
After starting my OpenLDAP server, I load this information into the OpenLDAP server's database with
ldapadd -D uid=root,ou=People,dc=mysite,dc=com -x -w ThePassword -f mysite.ldif
Now assuming that LDAP authentication is enabled in the Linux server, and that PAM in this system will delegate its authentication to the OpenLDAP server above, the authentication works fine (assuming the correct password is entered, of course) but the groups information does not seem to be extracted correctly. After successfully logging in as users FirstUser, if from the command line I invoke
groups FirstUser
I get the following output:
FirstUser : user onegroup onegroup twogroup twogroup
I do not understand why 'onegroup' and 'twogroup' are repeated. For completeness, the /etc/nsswitch.conf file in the CentOS system contains (among other things) the following line:
group: ldap [SUCCESS=return] files
Any feedback on this issue will be welcome. It should be clear by now that I am not, by any means, an expert on things LDAP; my apologies if I am doing something stupid or misguided.