Matthias Saou wrote : > I've got a main file upload server on which I'd like to authenticate > some users against LDAP, but override their uid/gid pair. I need to do > this only on this one server, so change the unique uid/gid in the > LDAP server isn't an option :-( > > I've tried adding this to /etc/ldap.conf : > > nss_override_attribute_value uid www > nss_override_attribute_value gid www > > And it gives a weird result (the system thinks the user's real uid > corresponds to the "www" name...), but doesn't work. > > I've looked at pam's configuration but haven't found a way to do what I > want there. The best I've managed to do is use pam_group.so to have all > users logging in added to the "www" group, which would be acceptable if > I could easily enforce g+sw mode on all directories and g+w on all > files, unfortunately that's not easy either. > > Has anyone already tried something similar? And hopefully succeeded? :-)
All I needed was coffee. The above is obviously wrong, and simply changing to this works fine : nss_override_attribute_value uidNumber 600 nss_override_attribute_value gidNumber 600 Here are a few more details in case they might be useful to others : This is an upload server where some users will have access to websites, and multiple users will be able to easily "share" files without having to share a password. Using nss_ldap users have sftp access with their personal LDAP login/password, and using autofs, they see the websites they have been given access to : In /etc/auto.master : /home/matthias /etc/auto/matthias In /etc/auto/matthias : www.foo.ext :/www/www.foo.ext www.bar.ext :/www/www.bar.ext And this line changed in /etc/sysconfig/autofs : DEFAULT_BROWSE_MODE="yes" The "matthias" file will obviously be able to contain more lines, and more user files will be dropped in /etc/auto/ too. All websites are under /www/ and owned by 600:600. The mount --bind magic makes this work, and by using autofs one spares a lot of ugly scripts as well as having unused directories always being bind mounted. I've also noticed that in RHEL5, "df" doesn't report bind mounts by default, you need to do "df -a" to see them. The next step is to have sftp log file transfers. I hope the RHEL5 version is recent enough, as I know it's a quite recent addition to the mainstream openssh. Matthias -- Clean custom Red Hat Linux rpm packages : http://freshrpms.net/ Fedora release 7 (Moonshine) - Linux kernel 2.6.22.1-41.fc7 Load : 0.59 0.55 0.46 _______________________________________________ rhelv5-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv5-list
