Bug 88869 - ldap users can't use secondary groups
Summary: ldap users can't use secondary groups
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: glibc
Version: 8.0
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Jakub Jelinek
QA Contact: Brian Brock
Depends On:
TreeView+ depends on / blocked
Reported: 2003-04-15 04:02 UTC by rmhristev
Modified: 2016-11-24 15:24 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2003-04-22 21:21:52 UTC

Attachments (Terms of Use)

Description rmhristev 2003-04-15 04:02:18 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20030225

Description of problem:
The secondary group membership appears to be broken for LDAP users

Consider a directory with ownership X, group-ownership B and mode 0750

An LDAP user Y with primary group A and secondary group B membership
cannot change to the above directory.

Other simptoms: "id" by itself shows only the primary group A
while "id usercode" shows the correct output (groups A & B).

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. use an LDAP account
2. try "id" and "id <usercode>"
3. try to change to dirs with mode 0750 and group ownership other than your
primary group membership.

Actual Results:  The user can't access directories based on secondary group

Expected Results:  The user should be able to access the directory and "id"
should show all groups.

Additional info:

I'm not sure if this is a glibc bug but the "id" does not work correctly
and it is linked only with glibc.

(I'm putting this at "high" severity because I do consider that it makes 
LDAP based authentication almost useless)

Comment 1 Gordon Messmer 2003-04-21 16:18:30 UTC
Your description of the problem, especially that "id usercode" gives the correct
results, sounds like you created a secondary group for the user, but did not
either log in afterward to verify the result, or run "newgrp".

Create a secondary group, and either log in afterward or run "newgrp" to see if
the problem still exists.

Comment 2 rmhristev 2003-04-22 21:21:52 UTC
Sorry :-( :-( the problem was due to LDAP server misconfiguration.

Note You need to log in before you can comment on or make changes to this bug.