From owner-freebsd-stable@FreeBSD.ORG Wed Aug 22 20:00:14 2007 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 582CB16A469 for ; Wed, 22 Aug 2007 20:00:14 +0000 (UTC) (envelope-from uspoerlein@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.189]) by mx1.freebsd.org (Postfix) with ESMTP id C0F3613C4A8 for ; Wed, 22 Aug 2007 20:00:13 +0000 (UTC) (envelope-from uspoerlein@gmail.com) Received: by nf-out-0910.google.com with SMTP id b2so247238nfb for ; Wed, 22 Aug 2007 13:00:12 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:received:received:date:from:to:cc:subject:message-id:mail-followup-to:references:mime-version:content-type:content-disposition:in-reply-to:user-agent; b=Ppq/GyotlvQeYbfm75ZICnW1zwY7rv3qIuhM71w8ltTgiXXGRTcQFjZDQx5/msdDYz4AEjX735+PIOWUEg/MmlmHJTOEaCrlr7iDVNdoF04wlFLOj96xd6LehOebS8O+42avpQKJBdTr+eYF/98oxO/igW11K0C3AhIqYNZ3m6Q= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:date:from:to:cc:subject:message-id:mail-followup-to:references:mime-version:content-type:content-disposition:in-reply-to:user-agent; b=qWRorLGYbvAsGmzM00v1jZJZjVYUF2cEgt4QHgo3VPC6fL2AVCktDBHQiP106raBUaVEKZlTorlbLXcLHT9+xMtdAe/L3snb9vsSVsxCQEXugKNbzjpk3M90ppFSqEN8WFOgNbpTcTHRxZfblt3TIN+TTNbYhdFh8L5igHsxWHM= Received: by 10.86.79.19 with SMTP id c19mr747885fgb.1187812812124; Wed, 22 Aug 2007 13:00:12 -0700 (PDT) Received: from roadrunner.spoerlein.net ( [85.180.142.240]) by mx.google.com with ESMTPS id 22sm2004522fkr.2007.08.22.13.00.11 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 22 Aug 2007 13:00:11 -0700 (PDT) Received: from roadrunner.spoerlein.net (localhost [127.0.0.1]) by roadrunner.spoerlein.net (8.14.1/8.14.1) with ESMTP id l7MK05Bq004208; Wed, 22 Aug 2007 22:00:05 +0200 (CEST) (envelope-from uspoerlein@gmail.com) Received: (from q@localhost) by roadrunner.spoerlein.net (8.14.1/8.14.1/Submit) id l7MK05mk004207; Wed, 22 Aug 2007 22:00:05 +0200 (CEST) (envelope-from uspoerlein@gmail.com) Date: Wed, 22 Aug 2007 22:00:05 +0200 From: Ulrich Spoerlein To: Scot Hetzel Message-ID: <20070822200005.GC1426@roadrunner.spoerlein.net> Mail-Followup-To: Scot Hetzel , freebsd-stable@freebsd.org References: <20070821195043.GA1464@roadrunner.spoerlein.net> <64A1102C-0697-4C4D-AF3B-B1F2ED224792@yahoo.co.uk> <1D83A750-03FD-49EF-B99D-BA9B7F7E7BD0@mac.com> <7ad7ddd90708220053k147f4c5cq87430a4ee897180d@mail.gmail.com> <20070822082840.GB74165@hugo10.ka.punkt.de> <20070822172212.GB1426@roadrunner.spoerlein.net> <790a9fff0708221147u40104228k5ff7e08180dd5b41@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <790a9fff0708221147u40104228k5ff7e08180dd5b41@mail.gmail.com> User-Agent: Mutt/1.5.15 (2007-04-06) Cc: freebsd-stable@freebsd.org Subject: Re: pam_group vs. multiple group lines X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Aug 2007 20:00:14 -0000 On Wed, 22.08.2007 at 13:47:43 -0500, Scot Hetzel wrote: > Does the following work for you: > > passwd: ldap [notfound=return] files > group: ldap [notfound=return] files > > This sets ldap as the authoritative source for users and groups, > unless the ldap service is down, then it will use the files for the > source (useful when ldap server is down). This will require that you > place all of the users/groups into the ldap server. (modified from the > nis example in the nsswitch.conf(5) man page) Thanks for you suggestion! In the end, I did it the other way round, using: passwd: files ldap group: files [success=continue] ldap This has the effect of "merging" the multiple group sources into one, as can be seen here % getent group|grep wheel wheel:*:0:root,us I now have to play a little bit with bootup (no LDAP present) and what happens when LDAP goes offline, etc. Thanks again! Cheers, Ulrich Spoerlein -- It is better to remain silent and be thought a fool, than to speak, and remove all doubt.