I have an ldap server with users and groups.
Also, another server that is using the first one for the accounts.
Users from ldap can login to the second server.
I can add groups to the users in ldap.
I tried to add a group (the group exists only in ldap) to a system user in the second server without any luck. Is it possible ?
Thanks !
I have searched for the answer to the same question (as you can see).
My conclusion is that you cannot assign an LDAP group to a user that exists locally only.
These are two worlds: - either the user (and its groups) are local - or they are not, i.e. all is stored in the directory.
For example: what would happen if the user already has a primary group that is local, and you'd try to add a secondary group to that user? Usually, that would be stored in /etc/group, but in this case it would have to modify the directory which it probably can't.
So I guess that's a no-go.
From my own investigation, if you have all the normal PAM / nsswitch.conf plumbing set up, you can do this, but only by adding the local user to the group in the LDAP database directly using ldapmodify on the memberUid attribute on the LDAP server (see here):
$ ldapmodify -D <admin DN> -h <ldaphost> -W
password: [enter password]
dn: cn=vipb,ou=groups,dc=example,dc=com
changetype: modify
add: memberUid
memberUid: fred
^D
Note that the blank line is necessary.
Next, you have to invalidate the NCSD cache on server 2:
$ nscd --invalidate=group
You can then check the group membership on server 2 by issuing:
$ id -nG fred
CAVEAT: The use of LDAP as a user database relies on the schema detailed in this draft standard: rfc2307bis-02. There are THREE versions of the standard so far. Amongst the things that get tweaked between versions are the member and memberUid attributes; this means your LDAP set up may not play nicely. A fully bis-02 compliant install should contain and support both attributes: memberUid (for local logins members of the LDAP group, without a dn) and member (for LDAP users with a full dn) within a given group. They should also allow either or both to be empty, allowing empty groups. Your mileage may vary - you'll need to check your server's schema.
Tools like webmin can be useful for manipulating the LDAP users and groups and the LDAP database; but again they may not play nicely with rfc2307bis-02. For example, Webmin's LDAP Users and Groups module, copes with memberUid but not member.
Where things get really murky is memberof support. Some systems (e.g. early ownCloud) rely on memberof support to work out what groups a user is a member of without having to query the LDAP database twice. Often memberof only works for one of the attributes and then only after heavily tweaking the LDAP config.
In RHEL, you can do this via the ldap_rfc2307_fallback_to_local_users parameter:
Authentication operations and identity tools like
id, however, go through SSSD, and there is no record of the local user in the LDAP identity provider configured for SSSD. There are two ways that SSSD can handle local user:
It can delete the user from the local
passwdfile as if it were a remnant of a deleted local account.It can query the local user list (
passwd) as a fallback if a user in a group is not found in LDAP, and then add that user to its cache as if it were an LDAP user.This behavior is configured in the
ldap_rfc2307_fallback_to_local_usersparameter for the identity provider domain. By default, this is false, meaning that only users which exist in the LDAP provider are recognized, and a local user is deleted if it is added to an LDAP group. This can be set to true, which queries the local system users as a fallback if an LDAP group member is not found in the LDAP directory.
