LDAP groups can be made from Linux groups

[lpanayioto]

LDAP Groups can be made from the linux groups in /etc/group

Unexpected behavior you saw
a linux group like bmcweb::1002 can be used to create a webui LDAP group if the LDAP user has the same group id 1002

Expected behavior
Only LDAP server groups can be used for webui LDAP groups

To Reproduce

1. login to bmc webui
2. navigate to Access->LDAP
3. connect to the LDAP server
4. test the login with an LDAP user; should be noAccess
5. add the webui LDAP group bmcweb
6. change the LDAP user's group id number to the same as the linux group bmcweb (can be found at /etc/group on the bmc)
7. test the login with the LDAP user

[kingzmm]

@lpanayioto How to set up ldap service so that users in ldap can log in successfully

[trevor-cockrell]

This is a result of the nsswitch.conf file being configured by default to lookup local groups prior to LDAP groups. You can avoid this by making sure that your LDAP gidNumbers don't match up with any of the groups in /etc/group.

Another option if you really want to use values that are already claimed by local groups is to edit the /etc/nsswitch.conf and modify the line

group:          files ldap  

to instead look like

group:          ldap files

and then rebooting for the new configuration to take effect. This will then lookup groups externally before checking internally.