posixgroup name lookups

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello, all.  We're trying to move all our user access control to DS
including file system rights management and thus group management.
We've hit a few problems and would like to share how we've gotten around
them both for documentation and so someone with more experience can tell
us if we are going about this the wrong way.

The first problem we hit was the various hosts could not resolve the
gidnumber to a name:
-sh-3.2$ id -gn
id: cannot find name for group ID 2000
2000

We noticed in the access query that the hosts were looking for
posixgroups:
SRCH base="dc=ssiservices,dc=biz" scope=2
filter="(&(objectClass=posixGroup)(gidNumber=2000))" attrs="cn
userPassword memberUid uniqueMember gidNumber"

The problem comes with user's initial groups which are typically named
after the uid.  Since we had not created these explicitly as DS groups
but rather simply assigned the gidnumber in the posixaccount's gidnumber
attribute, there was no posixgroup to seek.

I suppose the ideal way to address this is the change the query to look
for a posixgroup or a posixaccount.  I do not see how one does this.
Instead, we added posixgroup as an objectclass to the users.  Is this a
reasonable way to go about this?

Then we hit our next problem.  The user's initial group is usually the
same as their uid, e.g., user bsmith belongs to group bsmith. However,
the query is looking for cn rather than uid.  I suppose this is because
a posixgroup, as opposed to a user, does not have a uid but does have a
cn.  This turned up as a problem where we wanted to control the umask in
bashrc which uses logic such as:
if [ $UID -gt 99 ] && [ "`id -gn`" = "`id -un`" ]; then
        umask 002
id -un would return bsmith but id -gn would return something like Brian
Smith.

Thus, we will need to make it a user creation procedure to override the
cn to be the same as the uid rather than FirstName LastName.  Is this
the correct approach? Thanks - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux