Re: proper procedure to add a unix group

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Rich Megginson wrote: 

> Igor wrote:
> 
> >Hi, all.  This is probably a dumb question but how do
> >I add a group?  Simply adding a group thru the UI
> >doesn't allow one to specify a GID.  I tried adding an
> >object type "OTHER" and selecting posixGroup.  That
> >seemed to have worked, is that how this is to be done?
> >  
> >
> Yes.
> 
> > Because under company name aci, it shows up with gid
> >number, NOT the group name which is kind of ugly.
> >  
> >
> Right.  A console "group" is a groupOfUniqueNames.  A posixGroup is a 
> unix /etc/groups replacement group.

One cool thing I've noticed while working on research for Red Hat's
RH423 class: it turns out that Red Hat Directory Server allows you 
to assign an entry both the groupOfUniqueNames and posixGroup object 
classes at the same time! 

Strictly speaking this is a schema violation, since they are 
unrelated structural classes, but Directory Server does not enforce 
the rule that there can only be one structural class chain on an 
entry.  Now, the interesting thing is that it's been proposed
(in the expired Internet-Draft draft-howard-rfc2307bis-00.txt) 
that posixGroup be changed to an auxiliary class so that it and 
groupOfUniqueNames can be used together to make this legal.  It
was further proposed that group members can be stored not just as
login names (in memberUid attributes from posixGroup), but ALSO
as DNs of posixAccount entries (in uniqueMember attributes from 
groupOfUniqueNames).

It turns out that the author of the proposal is the developer of 
the nss_ldap package used by Red Hat Enterprise Linux, so nss_ldap 
already supports this.  This means that if there is a directory
entry uid=testuser,ou=people,dc=example,dc=com that's a valid 
posixAccount user, you can define a static group entry with LDIF
like the following:

  dn: cn=unixgroup,ou=groups,dc=example,dc=com
  objectclass: top
  objectclass: groupOfUniqueNames
  objectclass: posixGroup
  cn: unixgroup
  gidNumber: 1701
  uniqueMember: uid=testuser,ou=people,dc=example,dc=com

use system-config-authentication to set up a RHEL client to use 
nss_ldap to look up user information from the directory, and get this:

  [root at example ~]# getent group unixgroup
  unixgroup:x:1701:testuser

  -- Steve Bonneville
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux