Ldap – Groups with local and LDAP users

ldapsssd

I'm exploring the idea of authenticating users on some RHEL 6.4 boxes using LDAP. I'm using sssd with an LDAP provider, and setting the nsswitch.conf file to use sss for passwd/shadow/group.

How can I set things up so that system users (which don't come from LDAP) can be in the same groups as LDAP users? For example, I might want some LDAP users to be in a "svn" group, so they have access to a SVN repository. But I also need the SVN server to run as a user in that group, and that user doesn't come from LDAP. Is this possible?

Best Answer

I don't know SSSD, but if your LDAP database is properly rfc2307bis-02 compliant, then you should be able to add both member and memberUid attribute values to any group in the LDAP database. The member values are used for dn based LDAP users, memberUid values are for local users, who of course do not have dns. For example, the following should add a local user called fred and an LDAP user called ethel to vipb group:

$ ldapmodify -D <admin DN> -h <ldaphost> -W
password: [enter password]
dn: cn=vipb,ou=groups,dc=example,dc=com
changetype: modify
add: memberUid
memberUid: fred
-
add: member
member: uid=ethel,ou=users,dc=example,dc=com

^D

Caching will get in the way, so:

$ nscd --invalidate=group

You can then check the group membership:

$ id -nG fred
$ id -nG ethel

Best Answer

Related Solutions

LDAP Client Authentication using SSSD: Groups issue

Ldap – SSSD for LDAP user authentication only (just bind) on Ubuntu, local databases for uid and groups

Related Topic