On Sunday 12 April 2009 16:49:40 Stephen Parry wrote:
Thanks in advance for any answers to this query, and thanks to the
who wrote and maintain OpenLDAP.
I have OpenLDAP running on my Ubuntu Intrepid server. I have installed the
various PAM and NSS bits and pieces to allow integrated authentication.
It may be useful to specify the actual software names, as Debain/Ubuntu AFAIK
ships two different nss plugins for LDAP.
can now use users and groups stored in LDAP database to do shell logins,
permission files and authenticate Apache secure connections (hooray!). It
also is set up so that Unix user accounts and groups still function outside
of LDAP as expected.
However, there is one quirk to this. I can make LDAP users members of Unix
groups and this works fine.
Users defined in LDAP can still be Unix groups. I think it is more precise to
refer to users defined in the local files as "local users".
I cannot however do the equivalent: make Unix
users working members of LDAP groups. I can put them in the groups, but the
the system command "id -nG" does not list the LDAP groups and the
filesystem fails to pick up the permissions.
Works here. Are you using nscd? If so, have you invalidated its cache (or
tested without nscd running)?
Did you really only use 'id -nG' (which uses the group memberships of the
currently running process), or did you use 'id -nG $USER' (which does a new
lookup)? You should start a new shell/login after changing the groups of a
user (whether it is defined locally, or remotely).
Have you (or some tool, or some defaults) previously configured nss_ldap
(assuming you're using it) to not lookup groups in LDAP for the user in
question? It may be useful to post your nss_ldap ldap.conf
Is this behaviour by design?
Can the relevant modules be configured to
allow LDAP groups have Unix users as members?
Users and groups in LDAP *are* Unix groups ... there are some things that
don't work by default, but this case should.