-1

Here is the situation:

  • I want user usr to have the same permissions of a group grp, anywhere in the system.
  • grp is not a local group, it comes from a LDAP server, of which I have no control over.

I don't have much experience with Linux, so I did some research and found two possible ways to accomplish this:

  • Create a local group with the same name and make usr a part of it. However, I'm not too sure about how this would impact remote users from the original grp. Would I need to make changes to the NSS configuration file in order for this to work correctly? In that case, what should the configuration be?
  • Use ACL to give usr permissions. My problem with this is that it seems kind of complicated. As far as I know, there's no automatic way to do what I want, I would have to make a script that traverses the filesystem, checking the group permissions of every file and directory, and then giving usr the same permissions. Am I missing something or this would be the only way?
rm95
  • 3
  • 1
  • Why not add _usr_ to group _grp_? – Lacek Apr 21 '21 at 18:45
  • I'm new to this, so I'm sorry if I'm not understanding it correctly. But *grp* comes from a LDAP server, it's not actually a local group defined in /etc/group. I don't have access to the LDAP server so I can't change its database. – rm95 Apr 21 '21 at 19:24

1 Answers1

0

It cannot be done without modifying the LDAP database. You can add local users to LDAP groups, but it must be done on the LDAP server.

The problem is that local groups and LDAP groups are different "worlds". A system can be configured to use both, but one of them will be a primary, and the other a secondary. If something is found in the primary source, the secondary will not be asked. This makes your first way a no-go: the local grp would overshadow the LDAP group (or, if the LDAP is the primary, it would just be ignored altogether).

The second approach could work, however, it is as you said: complicated, resource-extensive (traversing the filesystem can generate a lot of IO), fragile, and more like a hack than an actual solution.

I think the best way would be to ask the admin of the LDAP server to include the user in the grp group. Also, I might be wrong here, but it feels like an XY problem to me.

Lacek
  • 6,585
  • 22
  • 28
  • I found your answer pretty useful, but I don't think my question qualifies as a XY problem (although I didn't even know the expression before and I might be wrong). I offered my attempted solution but I also stated what is the general problem I'm trying to solve. I try to do that in order to show I was not lazy, but maybe it'd be better to just describe the problem instead. Thanks. – rm95 Apr 21 '21 at 21:07
  • Please, I want to make something clear: I never thought you to be lazy, or your question not to be well written to describe the problem. I apologize if it sounded this way, it wasn't my intention. I thought this to be an XY problem, because you asked about getting access, and getting access is _usually_ a means, not an end. but it might well be that you were just curious, so again, I can be wrong about the XY part. – Lacek Apr 22 '21 at 11:06
  • Oh, thanks for the clarification, I understand your point. I was indeed curious to learn more about how things work, apart from solving the original problem. Your answer was very helpful :) – rm95 Apr 22 '21 at 23:49