Dear Robert, In the case the nsswitch.conf is correctly set, id delivers also the membership in posixGroups from LDAP. You have to add ldap next to file in the config.
I did several tests and the posixGroups work well, while the dynamic groups are not supported. by pam_ldap. There is also something with I would like to see: RACF supports in either OMVS or OVM profile all the relevant posixAttributes such as uid, gid, shell, home directory. This is also not supported by pam_ldap. If this would be supported you could manage the user/groups simply from RACF while in the current situation you must maintain the LDAP part as well. For our system administrators it would be much more convenient to manage users from RACF than to handle any LDAP tools. Kind regards, Florian On Thu, Jun 7, 2012 at 2:12 AM, Robert Hart <pbch...@au1.ibm.com> wrote: > Florian, > Not too familiar with dynamic groups but I'm wondering if your expectations > are correct. You seem to be expecting that a dynamic group set up in LDAP > will reflect in the output of the linux id and getent commands. I don't see > why that should be the case - id and getent display information from the > file system and databases on the linux machine, not from the LDAP server > backend. > > Regards, > Robert Hart > Australia Development Laboratory (ADL), West Perth > Western Australia > Internet: pbch...@au1.ibm.com > Telephone: 61-8-9261-8560 Tie-line: 701-18560 > Fax: 61-8-9261-8453 > > > ----- > Message from > Florian > Bilek > < > florian.bi...@gmail.com> > on Mon, 21 May 2012 22:57:21 +0200 ----- > > > Subject: Question to LDAP/RACF > > Dear all, > > I am trying to enable z/VM LDAP/RACF configuration to consolidate to user > administration into one directory. In principle the thing works fine > however I have a question regarding the right configuration: > > LDAP allows for dynamic groups. Those groups are based on LDAP queries and > avoid the need of adding/deleting manually users to such groups. > > I defined a dynamic group called "users" that would qualify all accounts > that have the attribute uid. > > The memberURL is as follows: > > dn: cn=users,dc=xxx > objectclass: posixGroup > objectclass: top > objectclass: ibm-dynamicGroup > cn: users > gidnumber: 100 > memberurl: ldap:///dc=xxx??one?(&(objectClass=person)(uid=*)) > > When I login now with a user I see the following: > > $ id > uid=11002(xbilek) gid=90000(usrys) groups=90000(usrys) > > but it should look like > id=11002(xbilek) gid=90000(usrys) groups=100(users), 90000(usrys) > > The getent group command shows only the name of the groups but no members: > > getent group users > > shows only: users:x:100: > > getent group usrys: > shows only: users:x:90000: > > Maybe the posixGroup is not the best. Is there a howto describing the > parameters that need to be checked in ldap.conf? > > Thank you very much in advance. > > -- > Best regards > > Florian Bilek > > ---------------------------------------------------------------------- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or > visit > http://www.marist.edu/htbin/wlvindex?LINUX-390 > ---------------------------------------------------------------------- > For more information on Linux on System z, visit > http://wiki.linuxvm.org/ > > ---------------------------------------------------------------------- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or > visit > http://www.marist.edu/htbin/wlvindex?LINUX-390 > ---------------------------------------------------------------------- > For more information on Linux on System z, visit > http://wiki.linuxvm.org/ > -- Best regards Florian Bilek ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/
