[SOLVED] Local group for LDAP user

someshpr · 12-15-2009, 02:07 PM

Hi,
Both my CentOS 5.2 and Ubuntu 8.04 boxes authenticates via the LDAP/Kerberos of the organization (which needless to say, contains thousands of users). So all LDAP users can log in these two boxes. But I want to give some (predefined) additional access to a new users (xyz123). I noted that all the users having the additional access (e.g., abc123) are member of a certain group [829857(umg/dept.res.access.workstations)]. So I guessed if I can add this group to the supplemental groups of xyz123, I would be able to achieve what I want.
In short I want to add LDAP user xyz123 to local group 829857.
But when I tried to use useradd or usermod commands I got errors:

Quote:

[root@client33 home]# id abc123
uid=160855(abc123) gid=764530(abc123) groups=764530(abc123),828514(orgn.faculty),828515(orgn.staff),829857(umg/dept.res.access.workstations),199(res_sudoers)
[root@client33 home]# id xyz123
uid=79841(xyz123) gid=1000(access) groups=634290(xyz123),4593(umg/dept.ecs),1623(ics.aac.pvn),828514(orgn.faculty),828515(orgn.staff),1000(access)
[root@client33 home]# usermod -a -G 829857 xyz123
usermod: xyz123 not found in /etc/passwd
[root@client33 home]# useradd -G 829857 xyz123
useradd: user xyz123 exists
[root@client33 home]# grep abc123 /etc/passwd
[root@client33 home]# grep 160855 /etc/passwd

Where am I going wrong?

Thanks in advance,

irishbitte · 12-15-2009, 03:53 PM

Can you not create a group called

Quote:

[829857(umg/dept.res.access.workstations)]

locally, that way, the mappings should propagate automatically when the user logs in.

someshpr · 12-15-2009, 06:49 PM

Thanks irishbitte! Thanks for replying to the other cross-listed post, too!
If I look at /etc/groups file, there is no local group 829857(umg/dept.res.access.workstations). But all the user who log in to a local directory on that machine are member of this group. And others who log in but to a universally defined LDAP directory are member of access(1000) group. So I was thinking may be there is another way without creating a local group [829857(umg/dept.res.access.workstations)].
By the way, any idea why all other users are member of the access(1000) group.

Sorry if I am confusing, but I am at a loss in what to do, or rather if at all I can do anything having the root permission only on the local machine!

Thanks in advance,

[UPDATE -- Solved| I didn't have enough permission to add the user to the group specified. I had contacted LDAP admin and he did it all!]

rsnyderpsu · 09-14-2010, 11:29 AM

Hi,

I am also a user of the same "User Managed Group" enabled LDAP server. We have seen a situation where when have multiple groups (30+) to which a single user is a member, it seems that permissions are only honored by the first 16 or so groups to which that use is a member. It seems that after that, the group membership is ignored. If we create a local group with a lower number (5xx) then that groups works.

Is there a limit to the number of groups a person can be a member of on specific box? Does it matter if those groups are local or via LDAP?

rsnyderpsu · 09-14-2010, 12:04 PM

Found my own answer to the limitation of groups here and here. It is the 16 group limit that AUTH_SYS with NFS.