On 08/01/12 22:21 +0800, Qian Zhang wrote:
Hi,
In my OpenLDAP server, it is possible to set a user as a member of a group, but it has another group as its primary group (I am using "LDAP Admin" as LDAP client tool). For example, in group1, I can see user1 as its "memberUid" attribute, but the "gidNumber" attribute of user1 is group2.
I'd like to know if this is a reasonable configuration, and in this case, should I consider user1 as the member of group2 too? For example, if I configure a machine to only allow gruop2 to login, can user1 log into that machine?
BTW, I do not know how to configure PAM to only allow a group or some groups to login the machine, if anyone can tell me the steps, it will be really appreciated!
Yes. That's known to work.
The gidNumber should define the user's primary group. Otherwise, group membership (memberUID) attributes will define group membership as well. From your application's perspective, since it makes system getpwent/getgrent calls, there should be little difference between your described scenario and:
/etc/passwd: user1:x:<uidNumber>:<gidNumber>:.....
/etc/group: <group1>:x:<other_gidNumber>:user1
The function of mapping your LDAP groups to system groups is dependant on installing an nss ldap plugin, but this should be basic functionality among all of them.
Be aware that installing an nss ldap plugin to resolve group membership *can* be very resource intensive, since each call to getgrouplist(3), such as when ssh'ing into the host, can result in your entire ldap group OU being iterated over. Appropriate indexing and caching is critical.