RSS feed

Re: Group membership filters with mutiple uids

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Group membership filters with mutiple uids

On Fri, 2016-04-01 at 16:49 -0500, Dustin Wenz wrote:
> For example, an ldap user like me might have both "dustinwenz" and
> "dustin" uids, but only the first uid is listed as members of groups
> on the directory server. So, when I login as "dustin", nslcd looks
> for "&(objectClass=posixGroup)(|(memberUid=dustin)" and never finds
> my group membership (thus rejecting my ssh connection).
> If I remove all group restrictions for ssh, I can successfully login
> as my short uid, and nslcd is then smart enough to translate that
> short name to the primary "dustinwenz". I can see this in the debug
> messages: username changed from "dustin" to "dustinwenz".
> Is there any for nslcd to perform that username switch prior to
> searching for group membership?

I'm afraid this is tricky. The PAM stack has a function for changing
the username (that is related to the message you're seeing) but the
problem is that most applications (and PAM modules) perform name
lookups before calling PAM (this uses NSS). This is what SSH does to
perform a number of access control checks before calling PAM.

You maybe could use pam_group to do the checks instead of doing them in
SSH but I'm not sure that this provides all the features you need.

In honesty I haven't seen a very good use case for the changing
username step in PAM. I generally recommend avoiding sharing numeric
userids across users.

-- arthur - - --

To unsubscribe send an email to or see