fedora-directory-users-request at redhat.com wrote: > Date: Tue, 10 Jan 2006 22:32:53 +0200 > From: Mike Jackson <mj at sci.fi> > Subject: Re: posixGroup location best > practices > > Susan wrote: > >> Hi. Quick question, where in the tree do I stick posixGroups? >> >> For now, I'll be authenticating linux machines only, so every uid=gid. Should I create a OU >> called Groups or something and put all the groups in there? Or have a uid under gid or what? How >> do you guys do it? >> > > Sure, just create some OU entry and put the group entries under that. > That's the usual way. The reason for grouping them together is in case > you want to restrict your search base, for efficiency and performance - > not that it matters much in small setups. > For people migrating from traditional passwd and group databases it does make sense to keep them colocated in the directory as well. And because users and groups represent two different namespaces in Unix, it is essential to keep them separate in the directory (ou=users and ou=groups). (Contrast this with Microsoft, where users and groups all reside in the same namespace. Very annoying.) > Date: Tue, 10 Jan 2006 21:58:07 +0100 > From: Jo De Troy <jo.de.troy at gmail.com> > Subject: Re: password history question > > Susan, > > I thought I needed the cacert line in /etc/openldap/ldap.conf to point the > ldap client to the CA cert we trust, otherwise we might not trust the > server certificate being signed by the CA. > > Thanks again, > Jo > That's correct, you always need the CA cert on all of the servers and clients. (Unless you're using anonymous cipher suites, in which case you don't need any certs at all. But that's pretty reckless.) -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/
