pam_group vs. multiple group lines

Scot Hetzel swhetzel at
Wed Aug 22 11:47:46 PDT 2007

On 8/22/07, Ulrich Spoerlein <uspoerlein at> wrote:
> On Wed, 22.08.2007 at 10:28:40 +0200, Patrick M. Hausen wrote:
> > On Wed, Aug 22, 2007 at 09:53:42AM +0200, Ulrich Spoerlein wrote:
> > > That is exactly the gist of my question. Of course I know that a group
> > > oneliner is the way to go. However, I saw people suggest splitting
> > > groups into multiple lines, if the lines are too long or too many
> > > groups per line (something to do with the /etc/group parser, I guess).
> > >
> > > Anyway, I want the LDAP groups to *augment* system groups. Removing
> > > wheel from /etc/group and relying on a complex network service ....
> > > not funny.
> >
> > We do not use LDAP yet, but have been using NIS in our internal
> > office network for years. If you use the magic "+" token to merge
> > your NIS database with the static files for passwd and group
> > information, then
> I'm not using the compat setting, my nsswitch.conf contains
> passwd: files ldap
> group: files ldap
> > _if_ the group entry in the static file does not contain any users
> > _then_ the information from NIS is merged in
> >
> > So you can keep a "wheel" group around as the _primary_ group
> > for root, toor, whatnot ... and all the additional members
> > that have "wheel" as an auxiliary group come from NIS.
> >
> > Possibly this works for LDAP, too? IMHO at least it should ;-))
> THANK YOU! It is indeed working for LDAP too. But it fails for sudo(8).
> Luckily I could replace the %wheel directive with a few user id
> directives.
> It's still a shortcoming of some sort and I guess I'll file a PR if
> noone else has any more information on the issue.
> getent group now has the following wheel entries
> % getent group|grep wheel
> wheel:*:0
> wheel:*:0:us,root
> As I said, su(1) is happy, sudo(8) not yet.

Does the following work for you:

passwd:  ldap [notfound=return] files
group:   ldap [notfound=return] files

This sets ldap as the authoritative source for users and groups,
unless the ldap service is down, then it will use the files for the
source (useful when ldap server is down).  This will require that you
place all of the users/groups into the ldap server. (modified from the
nis example in the nsswitch.conf(5) man page)

You could also try the following:

passwd:  ldap  files
group:   ldap [success=continue] files

No electrons were mamed while sending this message. Only slightly bruised.

More information about the freebsd-stable mailing list