I have a CentOS system where authentication over the SSH interface is delegated to an OpenLDAP server by means of PAM. This works fine. However, when the authentication succeeds, I would like for the OpenLDAP server to send back group information as well to the CentOS system. That is, the OpenLDAP server should send back a list of groups that the authenticated user will belong to when a shell is created for it in the CentOS box. This information should supersede what groups information local to the CentOS box. I have an LDAP schema in the OpenLDAP server system that almost achieves what I want - but not quite. In the CentOS system I currently have a file named mysite.ldif with the following contents: # extended LDIF## LDAPv3# base <dc=mysite,dc=com> with scope subtree# filter: (objectclass=*)# requesting: ALL# # mysite.comdn: dc=mysite,dc=comobjectClass: topobjectClass: dcObjectobjectClass: organizationo: MySitedc: mysite # People, mysite.comdn: ou=People,dc=mysite,dc=comou: PeopleobjectClass: organizationalUnit # Group, mysite.comdn: ou=Group,dc=mysite,dc=comou: GroupobjectClass: organizationalUnit # firstgroup, Group, mysite.comdn: cn=firstgroup,ou=Group,dc=mysite,dc=comobjectClass: posixGroupobjectClass: topcn: onegroupuserPassword:: e2NyeXB0fXg=gidNumber: 1001memberUid: FirstUsermemberUid: SecondUser # secondgroup, Group, mysite.comdn: cn=secondgroup,ou=Group,dc=mysite,dc=comobjectClass: posixGroupobjectClass: topcn: twogroupuserPassword:: e2NyeXB0fXg=gidNumber: 1002memberUid: FirstUser # FirstUser, People, mysite.comdn: uid=FirstUser,ou=People,dc=mysite,dc=comuid: FirstUsercn: FirstUserobjectClass: accountobjectClass: posixAccountobjectClass: topobjectClass: shadowAccountshadowLastChange: 14250shadowMax: 99999shadowWarning: 7loginShell: /bin/bashuidNumber: 1014gidNumber: 1014homeDirectory: /home/FirstUsergecos: ,,,userPassword:: TXlQYXNzd29yZAo= # SecondUser, People, mysite.comdn: uid=SecondUser,ou=People,dc=mysite,dc=comuid: SecondUsercn: SecondUserobjectClass: accountobjectClass: posixAccountobjectClass: topobjectClass: shadowAccountshadowLastChange: 14002shadowMax: 99999shadowWarning: 7loginShell: /bin/bashuidNumber: 1005gidNumber: 1005homeDirectory: /home/SecondUsergecos: ,,,userPassword:: T3RoZXJQYXNzd29yZAo= After starting my OpenLDAP server, I load this information into the OpenLDAP server's database with ldapadd -D uid=root,ou=People,dc=mysite,dc=com -x -w ThePassword -f mysite.ldif Now assuming that LDAP authentication is enabled in the Linux server, and that PAM in this system will delegate its authentication to the OpenLDAP server above, the authentication works fine (assuming the correct password is entered, of course) but the groups information does not seem to be extracted correctly. After successfully logging in as users FirstUser, if from the command line I invoke groups FirstUser I get the following output: FirstUser : user onegroup onegroup twogroup twogroup I do not understand why 'onegroup' and 'twogroup' are repeated. For completeness, the /etc/nsswitch.conf file in the CentOS system contains (among other things) the following line: group: ldap [SUCCESS=return] files Any feedback on this issue will be welcome. It should be clear by now that I am not, by any means, an expert on things LDAP; my apologies if I am doing something stupid or misguided.
Is your /etc/nsswitch file configured to get group info from LDAP? If so everything should just work I believe.
Sincerely, Scott
On Sep 15, 2015, at 7:58 AM, JC lovecraftesque@yahoo.com wrote:
I have a CentOS system where authentication over the SSH interface is delegated to an OpenLDAP server by means of PAM. This works fine. However, when the authentication succeeds, I would like for the OpenLDAP server to send back group information as well to the CentOS system. That is, the OpenLDAP server should send back a list of groups that the authenticated user will belong to when a shell is created for it in the CentOS box. This information should supersede what groups information local to the CentOS box.
I have an LDAP schema in the OpenLDAP server system that almost achieves what I want - but not quite. In the CentOS system I currently have a file named mysite.ldif with the following contents:
# extended LDIF # # LDAPv3 # base <dc=mysite,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# mysite.com dn: dc=mysite,dc=com objectClass: top objectClass: dcObject objectClass: organization o: MySite dc: mysite
# People, mysite.com dn: ou=People,dc=mysite,dc=com ou: People objectClass: organizationalUnit
# Group, mysite.com dn: ou=Group,dc=mysite,dc=com ou: Group objectClass: organizationalUnit
# firstgroup, Group, mysite.com dn: cn=firstgroup,ou=Group,dc=mysite,dc=com objectClass: posixGroup objectClass: top cn: onegroup userPassword:: e2NyeXB0fXg= gidNumber: 1001 memberUid: FirstUser memberUid: SecondUser
# secondgroup, Group, mysite.com dn: cn=secondgroup,ou=Group,dc=mysite,dc=com objectClass: posixGroup objectClass: top cn: twogroup userPassword:: e2NyeXB0fXg= gidNumber: 1002 memberUid: FirstUser
# FirstUser, People, mysite.com dn: uid=FirstUser,ou=People,dc=mysite,dc=com uid: FirstUser cn: FirstUser objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowLastChange: 14250 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 1014 gidNumber: 1014 homeDirectory: /home/FirstUser gecos: ,,, userPassword:: TXlQYXNzd29yZAo=
# SecondUser, People, mysite.com dn: uid=SecondUser,ou=People,dc=mysite,dc=com uid: SecondUser cn: SecondUser objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowLastChange: 14002 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 1005 gidNumber: 1005 homeDirectory: /home/SecondUser gecos: ,,, userPassword:: T3RoZXJQYXNzd29yZAo=
After starting my OpenLDAP server, I load this information into the OpenLDAP server's database with
ldapadd -D uid=root,ou=People,dc=mysite,dc=com -x -w ThePassword -f mysite.ldif
Now assuming that LDAP authentication is enabled in the Linux server, and that PAM in this system will delegate its authentication to the OpenLDAP server above, the authentication works fine (assuming the correct password is entered, of course) but the groups information does not seem to be extracted correctly. After successfully logging in as users FirstUser, if from the command line I invoke
groups FirstUser
I get the following output:
FirstUser : user onegroup onegroup twogroup twogroup
I do not understand why 'onegroup' and 'twogroup' are repeated. For completeness, the /etc/nsswitch.conf file in the CentOS system contains (among other things) the following line:
group: ldap [SUCCESS=return] files
Any feedback on this issue will be welcome. It should be clear by now that I am not, by any means, an expert on things LDAP; my apologies if I am doing something stupid or misguided.
openldap-technical@openldap.org