Re: a group problem?
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: a group problem?
- From: Arthur de Jong <arthur [at] arthurdejong.org>
- To: Stefan Obermeier <stefan.obermeier [at] biozentrum.uni-wuerzburg.de>, "nss-pam-ldapd-users [at] lists.arthurdejong.org" <nss-pam-ldapd-users [at] lists.arthurdejong.org>
- Subject: Re: a group problem?
- Date: Mon, 06 Jun 2022 15:39:57 +0200
On Tue, 2022-05-17 at 12:22 +0000, Stefan Obermeier wrote:
> I want to use nss-pam-ldap to get users and groups out of LDAP and
> use them on linux.
Hi Stefan,
Sorry for not replying sooner.
> Login and browsing of users and groups with getent works fine.
> The mapping of group chair1 and the corresponding members is working
> becaus all members of chair1 are listed with getent passwd.
> The other groups dept01* are shown correctly but are not assigned to
> the users.
In Linux group permissions are assigned in two ways:
- via the primary group id (in your example you mapped gidNumber for
this)
- via group membership
You should be able to use `getent` and similar mechanisms (e.g. `id -a
username`) to see what the configuration is for users and groups. There
are other ways to query active groups (e.g. `groups` or plain `id -a`).
> > getent group
> ...
> dept01-AG1:*:12345:user1,user2 user3
> dept01-AG2:*:12346:user2
> ...
>
> > su user1
> > groups
> users
I would expect that dept01-AG1 would also be listed here. There are a
number of things that affect how these kind of names are looked up:
- /etc/nsswitch.conf (could be configured to stop further lookups if
the user or group was found locally)
- nslcd.conf: mapping of properties to attributes
- nscd: could be caching old information, but also gets easily confused
if there is overlap/conflicts between local configuration and LDAP
- PAM: it could mess with the secondary groups that are actually
assigned to the user
The easiest way to properly debug this is to have nslcd run in debug
mode and inspect the logs as you perform the following actions:
- id -a user1
- su user1
- id -a
The first should result in a passwd="user1" lookup as well as a
group/member="user1" lookup. It only looks at what is configured.
The second should most likely result in a lot of passwd, shadow,
group/member, authc and autz calls being logged (this depends on how
PAM is configured).
The last should result in a number of passwd=1234 and group=1234 calls
to lookup the name of the user and the active groups.
Hope this helps,
--
-- arthur - arthur@arthurdejong.org - https://arthurdejong.org/ --