I have a CentOS system where authentication over the SSH interface is delegated
to an OpenLDAP server by means of PAM. This works fine. However, when the
authentication succeeds, I would like for the OpenLDAP server to send back
group information as well to the CentOS system. That is, the OpenLDAP server
should send back a list of groups that the authenticated user will belong to
when a shell is created for it in the CentOS box. This information should
supersede what groups information local to the CentOS box.
I have an LDAP schema in the OpenLDAP server system that almost achieves what I
want - but not quite. In the CentOS system I currently have a file named
mysite.ldif with the following contents:
# extended LDIF## LDAPv3# base <dc=mysite,dc=com> with scope subtree# filter:
(objectclass=*)# requesting: ALL#
# mysite.comdn: dc=mysite,dc=comobjectClass: topobjectClass:
dcObjectobjectClass: organizationo: MySitedc: mysite
# People, mysite.comdn: ou=People,dc=mysite,dc=comou: PeopleobjectClass:
organizationalUnit
# Group, mysite.comdn: ou=Group,dc=mysite,dc=comou: GroupobjectClass:
organizationalUnit
# firstgroup, Group, mysite.comdn:
cn=firstgroup,ou=Group,dc=mysite,dc=comobjectClass: posixGroupobjectClass:
topcn: onegroupuserPassword:: e2NyeXB0fXg=gidNumber: 1001memberUid:
FirstUsermemberUid: SecondUser
# secondgroup, Group, mysite.comdn:
cn=secondgroup,ou=Group,dc=mysite,dc=comobjectClass: posixGroupobjectClass:
topcn: twogroupuserPassword:: e2NyeXB0fXg=gidNumber: 1002memberUid: FirstUser
# FirstUser, People, mysite.comdn: uid=FirstUser,ou=People,dc=mysite,dc=comuid:
FirstUsercn: FirstUserobjectClass: accountobjectClass: posixAccountobjectClass:
topobjectClass: shadowAccountshadowLastChange: 14250shadowMax:
99999shadowWarning: 7loginShell: /bin/bashuidNumber: 1014gidNumber:
1014homeDirectory: /home/FirstUsergecos: ,,,userPassword:: TXlQYXNzd29yZAo=
# SecondUser, People, mysite.comdn:
uid=SecondUser,ou=People,dc=mysite,dc=comuid: SecondUsercn:
SecondUserobjectClass: accountobjectClass: posixAccountobjectClass:
topobjectClass: shadowAccountshadowLastChange: 14002shadowMax:
99999shadowWarning: 7loginShell: /bin/bashuidNumber: 1005gidNumber:
1005homeDirectory: /home/SecondUsergecos: ,,,userPassword:: T3RoZXJQYXNzd29yZAo=
After starting my OpenLDAP server, I load this information into the OpenLDAP
server's database with
ldapadd -D uid=root,ou=People,dc=mysite,dc=com -x -w ThePassword -f
mysite.ldif
Now assuming that LDAP authentication is enabled in the Linux server, and that
PAM in this system will delegate its authentication to the OpenLDAP server
above, the authentication works fine (assuming the correct password is entered,
of course) but the groups information does not seem to be extracted correctly.
After successfully logging in as users FirstUser, if from the command line I
invoke
groups FirstUser
I get the following output:
FirstUser : user onegroup onegroup twogroup twogroup
I do not understand why 'onegroup' and 'twogroup' are repeated. For
completeness, the /etc/nsswitch.conf file in the CentOS system contains (among
other things) the following line:
group: ldap [SUCCESS=return] files
Any feedback on this issue will be welcome. It should be clear by now that I am
not, by any means, an expert on things LDAP; my apologies if I am doing
something stupid or misguided.
