RSS feed

Re: Group membership filters with mutiple uids

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Group membership filters with mutiple uids

Thanks, Arthur!

I'll check into pam_group to see if it offers a way to make ssh authentication 
work for alternate uids. Any ideas about what may have been different about 
nss_ldap that would have permitted it work in the past?

Alternatively, in addition to assigned numeric IDs for each ldap account, we 
also assign a GeneratedUID value (which is a UUID) to each user. So, instead of 
searching group membership by the member name (uid), I can also search group 
membership by GUIDs (we call the field 'GroupMembers'). Is there any way to use 
these keys to relate users to groups  instead of searching by uid?

        - .Dustin

> On Apr 3, 2016, at 12:42 PM, Arthur de Jong <> wrote:
> On Fri, 2016-04-01 at 16:49 -0500, Dustin Wenz wrote:
>> For example, an ldap user like me might have both "dustinwenz" and
>> "dustin" uids, but only the first uid is listed as members of groups
>> on the directory server. So, when I login as "dustin", nslcd looks
>> for "&(objectClass=posixGroup)(|(memberUid=dustin)" and never finds
>> my group membership (thus rejecting my ssh connection).
>> If I remove all group restrictions for ssh, I can successfully login
>> as my short uid, and nslcd is then smart enough to translate that
>> short name to the primary "dustinwenz". I can see this in the debug
>> messages: username changed from "dustin" to "dustinwenz".
>> Is there any for nslcd to perform that username switch prior to
>> searching for group membership?
> I'm afraid this is tricky. The PAM stack has a function for changing
> the username (that is related to the message you're seeing) but the
> problem is that most applications (and PAM modules) perform name
> lookups before calling PAM (this uses NSS). This is what SSH does to
> perform a number of access control checks before calling PAM.
> You maybe could use pam_group to do the checks instead of doing them in
> SSH but I'm not sure that this provides all the features you need.
> In honesty I haven't seen a very good use case for the changing
> username step in PAM. I generally recommend avoiding sharing numeric
> userids across users.
> -- 
> -- arthur - - --
> -- 
> To unsubscribe send an email to
> or see

To unsubscribe send an email to or see