I am using LDAP + PAM + NSS on Linux, and am trying to use groups defined locally as well as in LDAP. These groups are for (critical) apps that run on the Linux systems. I want to define the group locally as to not have issues when and if LDAP is unavailable. But to manage group members, I want to define the same groups (and gids) in LDAP.
The problem is that the group members cannot 'newgrp' to groups in which they are members (LDAP defined) if the groups exists locally.
It appears that when the group is defined locally, the server does not check LDAP for group members. In the following example, user 'tester' is a member of groups 'postgres' and 'testgrp' (defined in LDAP), and the group 'testgrp' is also defined locally:
[tester]$ groups postgres testgrp
[tester]$ grep testgrp /etc/group [tester]$ getent group testgrp testgrp:x:110:tester
[tester]$ grep postgres /etc/group postgres:x:110: [tester]$ grep postgres /etc/gshadow postgres:!:: [tester]$ getent group postgres postgres:x:101:
As you can see, 'getent group' shows 'tester' is NOT a member of postgres, although 'groups' shows he is.
My /etc/nsswitch.conf has:
passwd: files ldap shadow: files ldap group: files ldap
PAM /etc/pam.d/system-auth has:
# testing for groups local and in ldap - 022809 auth required /lib/security/$ISA/pam_group.so debug use_first_pass # auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok nodelay auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass auth required /lib/security/$ISA/pam_deny.so
And, in LDAP:
[tester]$ ldapsearch -x -b 'ou=groups,o=partner_x,dc=example,dc=net' 'cn=postgres' # extended LDIF # # LDAPv3 # base <ou=groups,o=partner_x,dc= example,dc=net> with scope subtree # filter: cn=postgres # requesting: ALL #
# postgres, groups, partner_x, example.net dn: cn=postgres,ou=groups,o=partner_x,dc=example,dc=net objectClass: top objectClass: posixGroup cn:: cG9zdGdyZXMg gidNumber: 110 memberUid: tester description: Postgres DB Group
Thanks in advance for any help.
John
This message is confidential to Prodea Systems, Inc unless otherwise indicated or apparent from its nature. This message is directed to the intended recipient only, who may be readily determined by the sender of this message and its contents. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient:(a)any dissemination or copying of this message is strictly prohibited; and(b)immediately notify the sender by return message and destroy any copies of this message in any form(electronic, paper or otherwise) that you have.The delivery of this message and its information is neither intended to be nor constitutes a disclosure or waiver of any trade secrets, intellectual property, attorney work product, or attorney-client communications. The authority of the individual sending this message to legally bind Prodea Systems is neither apparent nor implied,and must be independently verified.