OpenLDAP/SSSD Automatically Add User to Local Group
I've got a host of servers running various flavors of Linux all setup as OpenLDAP clients via SSSD. I added an LDAP group (sysadmins). I also added a sysadmins group on all of my servers. The members of the sysadmins group will change over time.
How can I get all users in the LDAP group to be added to the local group on login?
According to the ubuntu documentation you can do a mapping of domain users to local groups, I'm not sure if it is applicable to any OS, but it seems to use standard modules that should be on any *nix system.
From Ubuntu docs
Assign local groups to users
To assign local groups to a domain (ldap) user do the following edit /etc/security/group.conf and add something like the following to it (log in as a local user and run the groups command to verify what to add):
*;*;*;Al0000-2400;audio,cdrom,dialout,floppyIn order to get the
pam_groupmodule working you could create a file like/usr/share/pam-configs/my_groups:Name: activate /etc/security/group.conf Default: yes Priority: 900 Auth-Type: Primary Auth: required pam_group.soand activate it by running
pam-auth-update.This roughly equals editing
/etc/pam.d/common-authby hand and adding the following line before anypam_ldapandpam_krb5settings:
auth required pam_group.soYou should now have local groups showing up for users logging in via gdm and ssh and can verify this by executing id or groups.
Finalize
Just to make sure everything works, run the following:
pam-auth-update /etc/init.d/nscd restart
There's one way of accomplishing this at the moment -- you can either add the user on each host locally and then add the member from LDAP into /etc/groups.
The second way is currently under development for glibc and wouldn't make it to RHEL sooner than 7.3 but you can read about it here: https://sourceware.org/glibc/wiki/Proposals/GroupMerging
That would basically allow you to define the group both locally and in LDAP and have libc merge the group contents.