The Curious of the missing LDAP Groups Issue with new groups in LDAP

LDAP is a wonderful way to handle all your company employees users. I’ve been using it for a long time and just like the easy way to handle it and how users can be authenticated via the LDAP directory all threw our intranet sites (Ticket manager, Wiki, Tools and more).

A month ago I had a new project – simple and easy to create some directories for group of users and give some full permissions and some only read permissions.

Due to the nature of linux that was quite easy – Just create a new group (or several) to encapsulate the users and allow the permissions to the directories. For example:
1. Group: project-users       – All the users who will need to access the data for this project will be added to this group.
2. User: project-admin – This is the user that can handle the directories (add, remove etc).
2. Group: project-admins    – The only group that can access the project-admin users. I’ve added only selected users to this group. (The permissions to access the users is auto generated authorized_keys access)
Now let’s say that our directory is:
/opt/projects/project (User: project-admin, Group: project-users, Mode: rwxr-r—)

Now as you can see only the admin user can change the files but all the group can access.

After finishing the configuration directories etc – I’ve sent mail that everything should work fine – then I’ve moved on to my next task.

Few hours later the manager of this project came to me and said – “well I have no access to the directories”.
That was queer – so I started checking why his user didn’t work.
I’ve accessed his user from my console and everything worked correctly, but when I’ve tried to access the directory from his console the user didn’t have the permissions??

I was intrigued, Why when I used his user it worked but when he did it didn’t? First I thought it was the terminal software – maybe it has some different environment variables? May it be the shell?

After checking and tinkering with the user for several minutes trying to determined what is the issue – a colleague had a notion – is the user part of the users group? I said “well yes I checked this myself”, then he tried checking the user:

1
2
$ id username
uid=500(username) gid=500(username) groups=500(username),555(users),666(project-users)

Well I said to him you see? the user is inside the group.
He replied – did you test this on the user console?
“No I didn’t” then I tested that:

1
2
$ id username
uid=500(username) gid=500(username) groups=500(username),555(users)

I was puzzled why the user isn’t in the right groups,
The answer: groups being reload only on login, Thus when a user who is already have open session (ssh, vnc etc) will always get the old groups and not the new ones.
This behavior also exist in local group handling in linux.

What solution you have for that? Well technically you can use newgrp in order to add the group – but in some cases like vnc you will have to use this command every time for every new console you open:

1
2
3
4
5
$ id username
uid=500(username) gid=500(username) groups=500(username),555(users)
$ newgrp project-users
$ id username
uid=500(username) gid=500(username) groups=500(username),555(users),666(project-users)

Note: that newgrp will create a whole new session like bash (although bash will not yield the groups reload like newgrp or ssh)

Leave a Reply

Your email address will not be published. Required fields are marked *