On Mar 12, 2012, at 7:17 PM, huwenfeng wrote:
I got a non-technical problem here.
I have managed to solved the problem of using OpenLDAP to store user and group infomation
and successfully logined into Linux Servers using OpenLDAP.
In the Linux Server, i got LOCAL groups named like `devel` and `www`, and LOCAL users
belong to these groups. Through the /etc/sudoers file, I give different groups with
In the OpenLDAP database, i defined my own `devel` and `www` groups. and users in
OpenLDAP belongs to their corresponding groups.
The problem is , if i add ldap into /etc/nsswitch.conf, then only the first pair of
(users/groups) get the right privileges from /etc/sudoers. That means, if I put `ldap`
before `files`, only the users login through OpenLDAP can use the privileges defined in
/etc/sudoers. But if I put `files` before `ldap` in /etc/nsswitch.conf, then only Local
(users/gr! oups) pair got the privileges from /etc/sudoer2.
I got a bad solution here: give different names to groups from OpenLDAP, and define new
privileges in /etc/sudoers for these groups. and after migration, delete the old local
groups and old sudo privileges. But this seems to be not that good a solution.
I wonder, what might be the best or right way to migrate from (local user/group) to (ldap
Any clue or advice will be greatly appreciated.
Thank you In advance.
nsswitch.conf is not part of openldap software but generally just add 'ldap' to
existing entries but if you have questions regarding the behavior of nsswitch, you should
probably ask PADL/PAM-LDAP or your distribution.
It's probably not a good idea to duplicate entries (same user) in LDAP &
/etc/passwd and can lead to unpredictable behavior. There's nothing that prevents you
from adding LDAP users into /etc/group and in a few cases, I do this (primarily for
database files and backup).
Respect the division between /etc/passwd (typically system users and groups) and LDAP
(active users and groups). Providing you have properly configured pam modules (again, not
an OpenLDAP discussion), there shouldn't be a problem with LDAP users & groups in