Lev Serebryakov
2011-Sep-22 08:17 UTC
pam_ldap and nss_ldap : checken and egg problem with "wheel" group and "su" utility
Hello, Freebsd-security.
I have chicken-adn-egg problem with wheel group and su utility when
all users but root are stored in LDAP.
wheel group should be in /etc/group to allow basic system services
to start before LDAP is available.
But when "wheel" is in /etc/group with only "root"
member (as all
other members are in LDAP), system never takes "wheel" members from
LDAP (because /etc/group has priority) and "su" doesn't work!
What is proper way to resolve this problem?
--
// Black Lion AKA Lev Serebryakov <lev@FreeBSD.org>
Dag-Erling Smørgrav
2011-Sep-22 15:21 UTC
pam_ldap and nss_ldap : checken and egg problem with "wheel" group and "su" utility
Lev Serebryakov <lev@FreeBSD.org> writes:> But when "wheel" is in /etc/group with only "root" member (as all > other members are in LDAP), system never takes "wheel" members from > LDAP (because /etc/group has priority) and "su" doesn't work!Did you try changing the priority in /etc/nsswitch.conf? DES -- Dag-Erling Sm?rgrav - des@des.no
Chao Shin
2011-Oct-12 04:29 UTC
pam_ldap and nss_ldap : checken and egg problem with "wheel" group and "su" utility
> Hello, Freebsd-security. > > I have chicken-adn-egg problem with wheel group and su utility when > all users but root are stored in LDAP. > > wheel group should be in /etc/group to allow basic system services > to start before LDAP is available. > > But when "wheel" is in /etc/group with only "root" member (as all > other members are in LDAP), system never takes "wheel" members from > LDAP (because /etc/group has priority) and "su" doesn't work! > > What is proper way to resolve this problem? >I don't have system to test this now, but you can try below config in your nsswitch.conf group: files [success=return notfound=continue] ldap passwd: files [success=return notfound=continue] ldap I didn't meet this problem in my last company's environment -- The Power to Serve