Is your /etc/nsswitch file configured to get group info from LDAP? If so everything should just work I believe.
Sincerely, Scott > On Sep 15, 2015, at 7:58 AM, JC <[email protected]> wrote: > > I have a CentOS system where authentication over the SSH interface is > delegated to an OpenLDAP server by means of PAM. This works fine. However, > when the authentication succeeds, I would like for the OpenLDAP server to > send back group information as well to the CentOS system. That is, the > OpenLDAP server should send back a list of groups that the authenticated user > will belong to when a shell is created for it in the CentOS box. This > information should supersede what groups information local to the CentOS box. > > I have an LDAP schema in the OpenLDAP server system that almost achieves what > I want - but not quite. In the CentOS system I currently have a file named > mysite.ldif with the following contents: > > # extended LDIF > # > # LDAPv3 > # base <dc=mysite,dc=com> with scope subtree > # filter: (objectclass=*) > # requesting: ALL > # > > # mysite.com > dn: dc=mysite,dc=com > objectClass: top > objectClass: dcObject > objectClass: organization > o: MySite > dc: mysite > > # People, mysite.com > dn: ou=People,dc=mysite,dc=com > ou: People > objectClass: organizationalUnit > > # Group, mysite.com > dn: ou=Group,dc=mysite,dc=com > ou: Group > objectClass: organizationalUnit > > # firstgroup, Group, mysite.com > dn: cn=firstgroup,ou=Group,dc=mysite,dc=com > objectClass: posixGroup > objectClass: top > cn: onegroup > userPassword:: e2NyeXB0fXg= > gidNumber: 1001 > memberUid: FirstUser > memberUid: SecondUser > > # secondgroup, Group, mysite.com > dn: cn=secondgroup,ou=Group,dc=mysite,dc=com > objectClass: posixGroup > objectClass: top > cn: twogroup > userPassword:: e2NyeXB0fXg= > gidNumber: 1002 > memberUid: FirstUser > > # FirstUser, People, mysite.com > dn: uid=FirstUser,ou=People,dc=mysite,dc=com > uid: FirstUser > cn: FirstUser > objectClass: account > objectClass: posixAccount > objectClass: top > objectClass: shadowAccount > shadowLastChange: 14250 > shadowMax: 99999 > shadowWarning: 7 > loginShell: /bin/bash > uidNumber: 1014 > gidNumber: 1014 > homeDirectory: /home/FirstUser > gecos: ,,, > userPassword:: TXlQYXNzd29yZAo= > > # SecondUser, People, mysite.com > dn: uid=SecondUser,ou=People,dc=mysite,dc=com > uid: SecondUser > cn: SecondUser > objectClass: account > objectClass: posixAccount > objectClass: top > objectClass: shadowAccount > shadowLastChange: 14002 > shadowMax: 99999 > shadowWarning: 7 > loginShell: /bin/bash > uidNumber: 1005 > gidNumber: 1005 > homeDirectory: /home/SecondUser > gecos: ,,, > userPassword:: T3RoZXJQYXNzd29yZAo= > > After starting my OpenLDAP server, I load this information into the OpenLDAP > server's database with > > ldapadd -D uid=root,ou=People,dc=mysite,dc=com -x -w ThePassword -f > mysite.ldif > > Now assuming that LDAP authentication is enabled in the Linux server, and > that PAM in this system will delegate its authentication to the OpenLDAP > server above, the authentication works fine (assuming the correct password is > entered, of course) but the groups information does not seem to be extracted > correctly. After successfully logging in as users FirstUser, if from the > command line I invoke > > groups FirstUser > > I get the following output: > > FirstUser : user onegroup onegroup twogroup twogroup > > I do not understand why 'onegroup' and 'twogroup' are repeated. For > completeness, the /etc/nsswitch.conf file in the CentOS system contains > (among other things) the following line: > > group: ldap [SUCCESS=return] files > > Any feedback on this issue will be welcome. It should be clear by now that I > am not, by any means, an expert on things LDAP; my apologies if I am doing > something stupid or misguided. >
