Re: nss_initgroups_ignoreusers ALLLOCAL issue
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: nss_initgroups_ignoreusers ALLLOCAL issue
- From: "mh [at] ow2.org" <mh [at] ow2.org>
- To: Arthur de Jong <arthur [at] arthurdejong.org>, nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: nss_initgroups_ignoreusers ALLLOCAL issue
- Date: Tue, 16 May 2017 09:22:19 +0200
Hi Arthur,
Thank you for the clarification. I need more :)
Le 15/05/2017 à 19:08, Arthur de Jong a écrit :
> On Mon, 2017-05-15 at 17:59 +0200, mh@ow2.org wrote:
>> nss_initgroups_ignoreusers ALLLOCAL isn't about ignoring all locally
>> defined users from the LDAP at all. It's about 'group membership
>> lookups'
>
> Indeed. I was wondering about what the problem was ;_
>
>> My goal was to avoid duplicate username between local and LDAP but it
>> doesn't seem possible to do so.
>
> Having duplicate user names should not be a real problem as long as the
> entry from /etc/passwd matches that from LDAP.
usually the data does't match: the UID/GID in the LDAP is different from
local.
My use case is as follow : I have a set of linux servers with on each of
them a local account - same username every time but not necessarily the
same uid/gid or homedir . On a second hand, I have a ldap server which
already provide authentication for a number of web apps that I have
tweaked to handle posix account objectclasses.
At this point, it appears that I need to authenticate using that LDAP
account with the same username as the local one mentioned above to my
linux boxes.
>
> If you want to filter out certain users you could use the filter
> statement to exclude users from LDAP that match certain criteria. There
> is no way to automatically exclude all locally defined users from LDAP
> lookups (though if you are running nscd in most situations this should
> not be a problem).
I'm not sure to understand what is the role of nscd in this, and why it
should not be a problem ?
However I could use:
filter passwd (!(uid=<dupusername>))(objectClass=posixAccount)
Or I could have that ldap dupusername defined with UID/GID>10000 then
test this in the filter. That would emulate a "group of LDAP users to
ignore".
Any better idea ?
>
> What you want to avoid is having multiple users with different
> information on the system. If you are running nscd both user names and
> numeric user ids are expected to be unique on the system.
unfortunately, this is the case, I have a single username with different
data locally vs LDAP. It seems I have no choice but to build some
filters to avoid that.
Regards,
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/
