Automatically add LDAP users to a local group

ng flag

I manage about 100 servers running Alma Linux 9.1, each with multiple users. Historically we've had a single account "admin" that everyone logs into when working on a server. I'm moving us over to individual LDAP users via SSSD but have hit a stumbling block with group membership.

Just as an example, on our ansible server the files under /etc/ansible belong to the admin user so that unprivileged users can work on them:

$ ls -lah /etc/ansible/
total 64K
drwxrwxr-x.   3 admin admin   71 Dec  7 11:11 .
drwxr-xr-x. 112 root  root  8.0K Jan 23 12:42 ..
-rw-rw-r--.   1 admin admin  614 Oct 14 11:28 ansible.cfg
-rw-rw-r--.   1 admin admin  377 Dec  7 11:11 ansible.conf
-rw-rw-r--.   1 admin admin  43K Feb 10 12:32 hosts
drwxr-xr-x.   2 admin admin    6 Oct 14 11:28 roles

Obviously ownership isn't going to help with multiple users needing to access the file, so we look at group membership. I can individually add users to a local group on a server but this is not scalable, and presents another step whenever new users are brought on.

I read a bit into the proposal for group merging but it seems like it's still unimplemented.

What I'd like is for any members of LDAP group x to be automatically added to local group y whenever they log in to any servers. Is this possible?

pt flag
Don't have people logging into servers and making changes directly to shared files. Have them submit changes via a version control system that deploys them via a CI/CD pipeline. Now you have the opportunity for code review, change control, a useful change history (why did we make this change?), and you've sidestepped the whole issue of managing write access to shared files.
pt flag
Alternately, if you already have LDAP groups, why not just make the files owned by an LDAP group that will be common across all the servers?
ng flag
Honestly I wasn’t aware you could have files owned by ldap groups. Will look into that…
I sit in a Tesla and translated this thread with Ai:


Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.