Red Hat Bugzilla – Bug 88869
ldap users can't use secondary groups
Last modified: 2016-11-24 10:24:51 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20030225
Description of problem:
The secondary group membership appears to be broken for LDAP users
Consider a directory with ownership X, group-ownership B and mode 0750
An LDAP user Y with primary group A and secondary group B membership
cannot change to the above directory.
Other simptoms: "id" by itself shows only the primary group A
while "id usercode" shows the correct output (groups A & B).
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. use an LDAP account
2. try "id" and "id <usercode>"
3. try to change to dirs with mode 0750 and group ownership other than your
primary group membership.
Actual Results: The user can't access directories based on secondary group
Expected Results: The user should be able to access the directory and "id"
should show all groups.
I'm not sure if this is a glibc bug but the "id" does not work correctly
and it is linked only with glibc.
(I'm putting this at "high" severity because I do consider that it makes
LDAP based authentication almost useless)
Your description of the problem, especially that "id usercode" gives the correct
results, sounds like you created a secondary group for the user, but did not
either log in afterward to verify the result, or run "newgrp".
Create a secondary group, and either log in afterward or run "newgrp" to see if
the problem still exists.
Sorry :-( :-( the problem was due to LDAP server misconfiguration.