On 03/14/13 15:02 +0000, Gerhardus Geldenhuis wrote:
Thanks Dan, That is working much better now... However I still have two group showing and not sure what determines which group entry will be honoured. At the moment the ldap group settings is honoured but not sure if that would always be the case. nsswitch is set to files ldap so by that logic it should not work... as in if files are queried first then it should show that I am not a member of adm unless the OS just assumes 4 is 4 regardless of the source.
Think of libnss as a database which returns entries. getgrent(3), and related system calls, makes use of that data without regard to the source of the information.
If 'getent group' is returning two entries for a given name, that is equivalent two sticking 'adm' into /etc/group twice, which is a bad idea, and may lead to ambiguous scenarios. Even though things may seem to work in spite of that, different applications may treat that data differently now or in the future.
I recommend:
1) removing adm from /etc/group OR 2) simply adding your ldap user (ggeldenhuis) to the adm entry in /etc/group
Just to clarify how I am testing: If my user is part of the adm user in Ubuntu it can less log files if not then it can't less log files. Adding myself to an ldap based adm group gives me the abillity to access the log files but as said above this does not seem to correlate with what nsswitch is configured to do.
My user has another primary group so I am unable to specify the gid as 4.
So my question really is which group would get preference to specify membership and how/where is that determined?
Another alternative is to use /etc/security/groups.conf but a note in the default config file recommends against it... so that would be a last resort to determine group membership upon login.
Regards
On 14 March 2013 13:45, Dan White dwhite@olp.net wrote:
On 03/14/13 12:52 +0000, Gerhardus Geldenhuis wrote:
Hi Admittedly this is slightly OT but I were hoping someone could point me in the right direction.
I want to be able to grant LDAP users group membership to local groups on a Ubuntu box. For example the adm group.
How would I go about doing this?
As a very quick test I created a adm group in ldap but it is not having the desired effect. Output from getent group | grep arm
adm:x:4: adm:*:4:uid=ggeldenhuis,ou=**People,dc=example,dc=com
The first adm group is the local file group and the second my ldap group.
Am I going about this in the wrong way... ?
You apparently have this in your ldap tree:
memberUid: uid=ggeldenhuis,ou=People,dc=**example,dc=com
for your adm group. Instead, that should be:
memberUid: ggeldenhuis
Regardless, your group names and guids *should* be unique to the system. You could remove the entry that's located in /etc/group or, instead of creating an ldap adm group, you could specify a gidNumber of 4 for uid=ggeldenhuis, which will place the user in the group - 'groups ggeldenhuis' should then report the user as a member of adm.