Re: a group problem?

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Arthur de Jong <arthur [at] arthurdejong.org>
To: Stefan Obermeier <stefan.obermeier [at] biozentrum.uni-wuerzburg.de>, "nss-pam-ldapd-users [at] lists.arthurdejong.org" <nss-pam-ldapd-users [at] lists.arthurdejong.org>
Subject: Re: a group problem?
Date: Mon, 06 Jun 2022 15:39:57 +0200

On Tue, 2022-05-17 at 12:22 +0000, Stefan Obermeier wrote:
> I want to use nss-pam-ldap to get users and groups out of LDAP and
> use them on linux.

Hi Stefan,

Sorry for not replying sooner.

> Login and browsing of users and groups with getent works fine.
> The mapping of group chair1  and the corresponding members is working
> becaus all members of chair1 are listed with getent passwd.
> The other groups dept01* are shown correctly  but are not assigned to
> the users.

In Linux group permissions are assigned in two ways:

- via the primary group id (in your example you mapped gidNumber for
  this)
- via group membership

You should be able to use `getent` and similar mechanisms (e.g. `id -a
username`) to see what the configuration is for users and groups. There
are other ways to query active groups (e.g. `groups` or plain `id -a`).

> > getent group
> ...
> dept01-AG1:*:12345:user1,user2 user3
> dept01-AG2:*:12346:user2
> ...
>  
> > su user1 
> > groups
> users

I would expect that dept01-AG1 would also be listed here. There are a
number of things that affect how these kind of names are looked up:

- /etc/nsswitch.conf (could be configured to stop further lookups if
  the user or group was found locally)
- nslcd.conf: mapping of properties to attributes
- nscd: could be caching old information, but also gets easily confused
  if there is overlap/conflicts between local configuration and LDAP
- PAM: it could mess with the secondary groups that are actually
  assigned to the user

The easiest way to properly debug this is to have nslcd run in debug
mode and inspect the logs as you perform the following actions:

- id -a user1
- su user1
- id -a

The first should result in a passwd="user1" lookup as well as a
group/member="user1" lookup. It only looks at what is configured.

The second should most likely result in a lot of passwd, shadow,
group/member, authc and autz calls being logged (this depends on how
PAM is configured).

The last should result in a number of passwd=1234 and group=1234 calls
to lookup the name of the user and the active groups.

Hope this helps,

-- 
-- arthur - arthur@arthurdejong.org - https://arthurdejong.org/ --

a group problem?, Stefan Obermeier
- Re: a group problem?, Arthur de Jong

Prev by Date: Re: [0.9.x] Invalid nslcd version id: 0x01000000 in Centos7.9
Next by Date: No output from getent netgroup
Previous by thread: a group problem?
Next by thread: [0.9.x] Invalid nslcd version id: 0x01000000 in Centos7.9