users members of multiple groups in openldap

> The most obvious thing I see here is your base statement in the ldap.conf.
> Are your groups under "ou=People,dc=ourname,dc=com" or are they under
> "ou=Groups,dc=ourname,dc=com"?
>
>
> Here is an example of our ldap.conf:
>
> =================================================
> host masterldap 127.0.0.1 ldapslaves
> #hosts are the master ldap server, then this slave server, and if all else
> fails check the other slave servers
> base dc=ourname,dc=com
> binddn cn=ldapadmin,dc=ourname,dc=com
> bindpw our-unsecure-password
> #note that the super-secret password is in the "/etc/ldap.secret" file,
> owned by root with permissions of 600
> pam_filter objectclass=posixaccount
> # If you enable host checking then make sure that the account objectclass
> is in each entry
> # and that host is defined for at least one server.  In our  network this
> is not really required
> # unless you want to allow certain people to connect to the linux accounts.
> # NOTE: on this server it will lock pop users out of their email account if
> set to yes
> pam_check_host_attr no
> rootbinddn cn=manager,dc=ourname,dc=com
> nss_base_passwd dc=ourname,dc=com?sub
> nss_base_shadow dc=ourname,dc=com?sub
> nss_base_group  ou=Groups,dc=ourname,dc=com?one
> ssl no
> pam_password md5
> ==================================================
>
> also check your /etc/nsswitch.conf ... you should have at minimum:
>
> passwd:     files ldap
> shadow:     files ldap
> group:      files  ldap
>
>
> Hope this helps!
>
>
>
> Ken Smith
> Network Systems Engineer
> Barton Insurance Brokers Ltd
> TEL:(604)703-7056
> CEL:(604)793-3703
> FAX (604)703-7099
> ksmith@...
>
> "FAILURE is not an option ... it's built in to all MicroSoft products!"
>
>
>                                                                                                                                        
>                       John Beck                                                                                                        
>                       <jbeck@...        To:       pamldap@...                                                              
>                       m>                       cc:                                                                                      
>                       Sent by:                 Subject:  [pamldap] users members of multiple groups in openldap                        
>                       owner-pamldap@pad                                                                                                
>                       l.com                                                                                                            
>                                                                                                                                        
>                                                                                                                                        
>                       08/11/2006 09:34                                                                                                  
>                       AM                                                                                                                
>                                                                                                                                        
>                                                                                                                                        
>
>
>
>
> I've been told this is likely a pam_ldap issue. Please let me know what
> files/output I'd need to include (If anything is lacking).
>
>   We use openldap 2.3 on Red Hat Enterprise Linux ES release 4 (Nahant
> Update 3).
>
> The user's primary group is stored in the gid attribute in their entry,
> but additional group memberships are configured by adding a memberUID
> with the user's username to the posixGroup entry for the group.
>
>   When the user logs in they authenticate against OpenLdap correctly,
> but the only group information that seems to follow them to the server
> is the gid listed in their user entry. Our client servers run RH ES 3 or 4.
>
>   I've been fighting this for quite a while now, I've been reading this
> list and the archives as well as online docs.
>
> /etc/pam.d/login
> #%PAM-1.0
> auth       required     pam_securetty.so
> auth       required     pam_stack.so service=system-auth
> auth       required     pam_nologin.so
> account    required     pam_stack.so service=system-auth
> password   required     pam_stack.so service=system-auth
> session    required     pam_stack.so service=system-auth
> session    optional     pam_console.so
>
> /etc/pam.d/passwd
> #%PAM-1.0
> auth       required     pam_stack.so service=system-auth
> account    required     pam_stack.so service=system-auth
> password   required     pam_stack.so service=system-auth
>
> Our clients ldap.conf
>
> host 172.30.3.X
> # The distinguished name of the search base.
> base ou=People,dc=ourname,dc=com
> sudoers_base ou=People,dc=ourname,dc=com
> uri ldap://172.30.3.X/
> binddn cn=Manager,dc=ourname,dc=com
> bindpw ourtopsecretpassword
> # Group to enforce membership of
> #pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com
> # Group member attribute
> #psecretam_member_attribute uniquemember
> pam_password md5
> ssl no
>
> #end ldap.con
>
> Thank you,
> -John B
>
> --
> John D. Beck, CCNA, RSA CSA & CSIE, Sys Admin / Security Engineer
> Global Science and Technology (GST)
> jbeck@...
> Phone: 202.479.9030 #427
>
>
>
>