Hi all:
I got a non-technical problem here.
I have managed to solved the problem of using OpenLDAP to store user and group infomation and successfully logined into Linux Servers using OpenLDAP.
In the Linux Server, i got LOCAL groups named like `devel` and `www`, and LOCAL users belong to these groups. Through the /etc/sudoers file, I give different groups with different privileges.
In the OpenLDAP database, i defined my own `devel` and `www` groups. and users in OpenLDAP belongs to their corresponding groups.
The problem is , if i add ldap into /etc/nsswitch.conf, then only the first pair of (users/groups) get the right privileges from /etc/sudoers. That means, if I put `ldap` before `files`, only the users login through OpenLDAP can use the privileges defined in /etc/sudoers. But if I put `files` before `ldap` in /etc/nsswitch.conf, then only Local (users/groups) pair got the privileges from /etc/sudoer2.
I got a bad solution here: give different names to groups from OpenLDAP, and define new privileges in /etc/sudoers for these groups. and after migration, delete the old local groups and old sudo privileges. But this seems to be not that good a solution.
I wonder, what might be the best or right way to migrate from (local user/group) to (ldap user/group) smoothly.
Any clue or advice will be greatly appreciated.
Thank you In advance.
Hi, More info:
the file in filesystem recording uid/gid is based on the uid/gid number, and the gid of local group and gid of OpenLDAP group is different. so the options maybe use `ldap files` in /etc/nsswitch.conf and then use chown to update the gid of the corresponding files and dir.
This is pretty ugly.
At 2012-03-13 10:17:58,huwenfeng huwenfeng_maillist@163.com wrote:
Hi all:
I got a non-technical problem here.
I have managed to solved the problem of using OpenLDAP to store user and group infomation and successfully logined into Linux Servers using OpenLDAP.
In the Linux Server, i got LOCAL groups named like `devel` and `www`, and LOCAL users belong to these groups. Through the /etc/sudoers file, I give different groups with different privileges.
In the OpenLDAP database, i defined my own `devel` and `www` groups. and users in OpenLDAP belongs to their corresponding groups.
The problem is , if i add ldap into /etc/nsswitch.conf, then only the first pair of (users/groups) get the right privileges from /etc/sudoers. That means, if I put `ldap` before `files`, only the users login through OpenLDAP can use the privileges defined in /etc/sudoers. But if I put `files` before `ldap` in /etc/nsswitch.conf, then only Local (users/gr! oups) pair got the privileges from /etc/sudoer2.
I got a bad solution here: give different names to groups from OpenLDAP, and define new privileges in /etc/sudoers for these groups. and after migration, delete the old local groups and old sudo privileges. But this seems to be not that good a solution.
I wonder, what might be the best or right way to migrate from (local user/group) to (ldap user/group) smoothly.
Any clue or advice will be greatly appreciated.
Thank you In advance.
I sent this previously from the wrong email address so mailman did not send it to the list. Resending and I apologize for if eventually there is a duplicate.
I think it's a bad idea to have an ldap group and a local group with the same name for this exact reason - especially if the gids do not match.
Are you using the NOTFOUND=continue directive?
Your group line in nsswitch.conf might be: group: files [NOTFOUND=continue] ldap
-Chris
On Mar 12, 2012, at 8:58 PM, huwenfeng wrote:
Hi, More info:
the file in filesystem recording uid/gid is based on the uid/gid number, and the gid of local group and gid of OpenLDAP group is different. so the options maybe use `ldap files` in /etc/nsswitch.conf and then use chown to update the gid of the corresponding files and dir.
This is pretty ugly.
At 2012-03-13 10:17:58,huwenfeng huwenfeng_maillist@163.com wrote: Hi all:
I got a non-technical problem here.
I have managed to solved the problem of using OpenLDAP to store user and group infomation and successfully logined into Linux Servers using OpenLDAP.
In the Linux Server, i got LO! CAL groups named like `devel` and `www`, and LOCAL users belong to these groups. Through the /etc/sudoers file, I give different groups with different privileges.
In the OpenLDAP database, i defined my own `devel` and `www` groups. and users in OpenLDAP belongs to their corresponding groups.
The problem is , if i add ldap into /etc/nsswitch.conf, then only the first pair of (users/groups) get the right privileges from /etc/sudoers. That means, if I put `ldap` before `files`, only the users login through OpenLDAP can use the privileges defined in /etc/sudoers. But if I put `files` before `ldap` in /etc/nsswitch.conf, then only Local (users/gr! oups) pair got the privileges from /etc/sudoer2.
I got a bad solution here: give different names to groups from OpenLDAP, and define new privileges in /etc/sudoers for these groups. and after migration, delete the old local groups and old sudo privileges. But this seems to be not that good a solution.
I wonder, what might be the best or right way to migrate from (local user/group) to (ldap user/group) smoothly.
Any clue or advice will be greatly appreciated.
Thank you In advance.
On Mar 12, 2012, at 7:17 PM, huwenfeng wrote:
Hi all:
I got a non-technical problem here.
I have managed to solved the problem of using OpenLDAP to store user and group infomation and successfully logined into Linux Servers using OpenLDAP.
In the Linux Server, i got LOCAL groups named like `devel` and `www`, and LOCAL users belong to these groups. Through the /etc/sudoers file, I give different groups with different privileges.
In the OpenLDAP database, i defined my own `devel` and `www` groups. and users in OpenLDAP belongs to their corresponding groups.
The problem is , if i add ldap into /etc/nsswitch.conf, then only the first pair of (users/groups) get the right privileges from /etc/sudoers. That means, if I put `ldap` before `files`, only the users login through OpenLDAP can use the privileges defined in /etc/sudoers. But if I put `files` before `ldap` in /etc/nsswitch.conf, then only Local (users/gr! oups) pair got the privileges from /etc/sudoer2.
I got a bad solution here: give different names to groups from OpenLDAP, and define new privileges in /etc/sudoers for these groups. and after migration, delete the old local groups and old sudo privileges. But this seems to be not that good a solution.
I wonder, what might be the best or right way to migrate from (local user/group) to (ldap user/group) smoothly.
Any clue or advice will be greatly appreciated.
Thank you In advance.
---- nsswitch.conf is not part of openldap software but generally just add 'ldap' to existing entries but if you have questions regarding the behavior of nsswitch, you should probably ask PADL/PAM-LDAP or your distribution.
It's probably not a good idea to duplicate entries (same user) in LDAP & /etc/passwd and can lead to unpredictable behavior. There's nothing that prevents you from adding LDAP users into /etc/group and in a few cases, I do this (primarily for database files and backup).
Respect the division between /etc/passwd (typically system users and groups) and LDAP (active users and groups). Providing you have properly configured pam modules (again, not an OpenLDAP discussion), there shouldn't be a problem with LDAP users & groups in /etc/sudoers.
Craig
openldap-technical@openldap.org
-
Chris Hiestand -
Craig White -
huwenfeng