Using LDAP Groups with Local System Users
This article for the System Security Services Daemon (SSSD) describes how you can reference a local system user (from /etc/passwd) as a member of an LDAP group.
LDAP identity providers (LDAP or IPA) can use RFC 2307 or RFC2307bis schema. The Active Directory (AD) LDAP provider uses AD-specific schema, which is compatible with RFC 2307bis. By using these schema elements, SSSD can manage local users within LDAP groups.
When a new LDAP group is created, a local user can be added as a member, with the memberUID attribute value set to the local user ID.
On the local system, the local user is included in the group members when using getent group:
[root@server ~]# getent group example
example:x:3:jsmith,bjensen,landerson,mreynolds
This queries the LDAP directory for the group information. Once that membership is processed, the user is added to the system configuration in /etc/passwd.
All of that (querying the LDAP group, creating the local user) is done through NSS (nss_ldap), outside SSSD.
Authentication operations and identity tools like id, however, go through SSSD, and there is no record of the local user in the LDAP identity provider configured for SSSD. There are two ways that SSSD can handle local user:
-
It can delete the user from the local
passwdfile as if it were a remnant of a deleted local account. -
It can query the local user list (
passwd) as a fallback if a user in a group is not found in LDAP, and then add that user to its cache as if it were an LDAP user.
This behavior is configured in the ldap_rfc2307_fallback_to_local_users parameter for the identity provider domain. By default, this is false, meaning that only users which exist in the LDAP provider are recognized, and a local user is deleted if it is added to an LDAP group. This can be set to true, which queries the local system users as a fallback if an LDAP group member is not found in the LDAP directory.
Comments