2

In our company we have a given LDAP Server, which represents the Users of our Windows Active Directory. Unfortunately the gidNumber sent to the LDAP client is always containing the Value "1001" for every user of the Directory. The LDAP-Server Settings including this Value can not be changed.

I would like to implement two User groups that can be defined on the LDAP Server. On the LDAP client Side (RHEL 5.8) the User groups should be mapped to Linux User Groups. The two groups ("Group1" and "Group2") can be identified with these LDAP statements:

AppRoles=cn=Group1,ou=OU1,ou=Applications,dc=company,dc=com
AppRoles=cn=Group2,ou=OU1,ou=Applications,dc=company,dc=com

Till now, pam_filter was used to only let one specific LDAP user group access the Linux machine. And nss_override_attribute_value was used to make a Linux Group mapping. This setup allowed us to handle one single User Group on a RHEL 5.8. But it does not allow to manage multiple Linux Groups.

# Override gidNumber Attibute
nss_override_attribute_value gidNumber 500
# Filter for only allowing LDAP users in the LDAP Jumphost group to access this Server
pam_filter AppRoles=cn=Group1,ou=OU1,ou=Applications,dc=company,dc=com

Is it possible to make a mapping between the LDAP String and a Linux GID without using the Attribute gidNumber?

rimshot
  • 111
  • 1
  • 4

0 Answers0