pam_group vs. multiple group lines

Ulrich Spoerlein uspoerlein at
Wed Aug 22 13:00:14 PDT 2007

On Wed, 22.08.2007 at 13:47:43 -0500, Scot Hetzel wrote:
> Does the following work for you:
> passwd:  ldap [notfound=return] files
> group:   ldap [notfound=return] files
> This sets ldap as the authoritative source for users and groups,
> unless the ldap service is down, then it will use the files for the
> source (useful when ldap server is down).  This will require that you
> place all of the users/groups into the ldap server. (modified from the
> nis example in the nsswitch.conf(5) man page)

Thanks for you suggestion!

In the end, I did it the other way round, using:

passwd: files ldap
group: files [success=continue] ldap

This has the effect of "merging" the multiple group sources into one, as
can be seen here
% getent group|grep wheel

I now have to play a little bit with bootup (no LDAP present) and what
happens when LDAP goes offline, etc.

Thanks again!

Ulrich Spoerlein
It is better to remain silent and be thought a fool,
than to speak, and remove all doubt.

More information about the freebsd-stable mailing list