I sent this previously from the wrong email address so mailman did not send it to the list. Resending and I apologize for if eventually there is a duplicate.
I think it's a bad idea to have an ldap group and a local group with the same name for this exact reason - especially if the gids do not match. Are you using the NOTFOUND=continue directive? Your group line in nsswitch.conf might be: group: files [NOTFOUND=continue] ldap -Chris On Mar 12, 2012, at 8:58 PM, huwenfeng wrote: > Hi, > More info: > > the file in filesystem recording uid/gid is based on the uid/gid number, and > the gid of local group and gid of OpenLDAP group is different. so the options > maybe use `ldap files` in /etc/nsswitch.conf and then use chown to update the > gid of the corresponding files and dir. > > This is pretty ugly. > > > At 2012-03-13 10:17:58,huwenfeng <[email protected]> wrote: > Hi all: > > I got a non-technical problem here. > > I have managed to solved the problem of using OpenLDAP to store user and > group infomation and successfully logined into Linux Servers using OpenLDAP. > > In the Linux Server, i got LO! CAL groups named like `devel` and `www`, and > LOCAL users belong to these groups. Through the /etc/sudoers file, I give > different groups with different privileges. > > In the OpenLDAP database, i defined my own `devel` and `www` groups. and > users in OpenLDAP belongs to their corresponding groups. > > The problem is , if i add ldap into /etc/nsswitch.conf, then only the first > pair of (users/groups) get the right privileges from /etc/sudoers. That > means, if I put `ldap` before `files`, only the users login through OpenLDAP > can use the privileges defined in /etc/sudoers. But if I put `files` before > `ldap` in /etc/nsswitch.conf, then only Local (users/gr! oups) pair got the > privileges from /etc/sudoer2. > > I got a bad solution here: give different names to groups from OpenLDAP, and > define new privileges in /etc/sudoers for these groups. and after migration, > delete the old local groups and old sudo privileges. But this seems to be not > that good a solution. > > I wonder, what might be the best or right way to migrate from (local > user/group) to (ldap user/group) smoothly. > > Any clue or advice will be greatly appreciated. > > Thank you In advance. > > > > > > >
smime.p7s
Description: S/MIME cryptographic signature
