I have a CentOS system where authentication over the SSH interface is delegated to an OpenLDAP server by means of PAM. This works fine. However, when the authentication succeeds, I would like for the OpenLDAP server to send back group information as well to the CentOS system. That is, the OpenLDAP server should send back a list of groups that the authenticated user will belong to when a shell is created for it in the CentOS box. This information should supersede what groups information local to the CentOS box.
I have an LDAP schema in the OpenLDAP server system that almost achieves what I want - but not quite. In the CentOS system I currently have a file named mysite.ldif with the following contents:
# extended LDIF
# base <dc=mysite,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
After starting my OpenLDAP server, I load this information into the OpenLDAP server's database with
ldapadd -D uid=root,ou=People,dc=mysite,dc=com -x -w ThePassword -f mysite.ldif
Now assuming that LDAP authentication is enabled in the Linux server, and that PAM in this system will delegate its authentication to the OpenLDAP server above, the authentication works fine (assuming the correct password is entered, of course) but the groups information does not seem to be extracted correctly. After successfully logging in as users FirstUser, if from the command line I invoke
I get the following output:
FirstUser : user onegroup onegroup twogroup twogroup
I do not understand why 'onegroup' and 'twogroup' are repeated. For completeness, the /etc/nsswitch.conf file in the CentOS system contains (among other things) the following line:
group: ldap [SUCCESS=return] files
Any feedback on this issue will be welcome. It should be clear by now that I am not, by any means, an expert on things LDAP; my apologies if I am doing something stupid or misguided.