Using LDAP Groups with Local System Users
This article for the System Security Services Daemon (SSSD) describes how you can reference a local system user (from /etc/passwd
) as a member of an LDAP group.
LDAP identity providers (LDAP or IPA) can use RFC 2307 or RFC2307bis schema. The Active Directory (AD) LDAP provider uses AD-specific schema, which is compatible with RFC 2307bis. By using these schema elements, SSSD can manage local users within LDAP groups.
When a new LDAP group is created, a local user can be added as a member, with the memberUID
attribute value set to the local user ID.
On the local system, the local user is included in the group members when using getent group
:
[root@server ~]# getent group example
example:x:3:jsmith,bjensen,landerson,mreynolds
This queries the LDAP directory for the group information. Once that membership is processed, the user is added to the system configuration in /etc/passwd
.
All of that (querying the LDAP group, creating the local user) is done through NSS (nss_ldap
), outside SSSD.
Authentication operations and identity tools like id
, however, go through SSSD, and there is no record of the local user in the LDAP identity provider configured for SSSD. There are two ways that SSSD can handle local user:
-
It can delete the user from the local
passwd
file as if it were a remnant of a deleted local account. -
It can query the local user list (
passwd
) as a fallback if a user in a group is not found in LDAP, and then add that user to its cache as if it were an LDAP user.
This behavior is configured in the ldap_rfc2307_fallback_to_local_users
parameter for the identity provider domain. By default, this is false, meaning that only users which exist in the LDAP provider are recognized, and a local user is deleted if it is added to an LDAP group. This can be set to true, which queries the local system users as a fallback if an LDAP group member is not found in the LDAP directory.
Comments