> The fact that id shows fewer groups is not a security issue > -- the user should have fewer privileges than with the > intended ldap groups.
This is only correct as long as belonging to a group grants additional rights. It is not correct any more if belonging to a group revoked rights. The user this way has, since he isn't seen in this particular group any more, additional rights, he wouldn't have if he was part of the group in question. We're using such a scheme for trainees. They are part of the group, but being part of the group "trainee" revokes some rights they would have if they where not part of the group "trainee". In our special case this doesn't matter: both groups are derived by ldap. Since pam doesn't question ldap any more for groups the user is in, rights are not granted and not revoked --- most people do not have any rights to do anything ... :-( -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/771698 Title: /usr/bin/id does not show ldap groups -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
