setting groups for ldap users

[ChrisMcGowanAu]

We ( Lorien Novais School ) use ldap for our students. We have a big fat and fast server to host home directories for students, use NFS to mount the students home directories. Ldap is also used for Internet access authentication which works fine.

We had a long time issue getting ldap to pass on more then one group with the login. I always assumed that some ldap trickery was the answer, and went down many rabbit holes to come up with nothing. If groups are missing from an ldap login, some things will not work, examples are USB auto-mount, sound, serial terminals and more. I got around these issues by tweaking permissions on executable's and developing shell scrips for users to work around issues. Yuck what a mess.

It turns out that ldap only passes on the primary group, and all other groups you might want a student to be in is missing.

The solution we came upon is to bypass ldap groups and use /etc/security and /etc/pam.d to set the groups independent of what ldap does, when I asked ChatGPT it says __"LDAP servers and clients handle group memberships can vary depending on the LDAP server implementation and the client applications used to interact with LDAP_"_

This solution will give all ldap users extra groups that will be common to everyone. I used the following steps

1. Login on a client machine as a local user. then run the command 'groups'
   lorien@LorienLab110:~$ groups
   lorien adm dialout cdrom sudo dip plugdev lpadmin sambashare epoptes staff
2. Select which groups you want everyone to have. In my case I chose the following groups
   adm dialout cdrom dip plugdev sambashare
3. edit /etc/security/group.conf and add the following line
   *; *; *; Al0000-2400;adm,dialout,cdrom,dip,plugdev,sambashare
4. Make sure that the following line is in /etc/pam.d/common-auth
   auth optional pam_group.so
5. Now try and login with an ldap acount. when you run "groups" you should see the extra groups.