Jonathan Barber wrote: > On Wed, Nov 19, 2008 at 03:32:28PM -0500, John A. Sullivan III wrote: > >> On Wed, 2008-11-19 at 12:21 -0800, George Holbert wrote: >> >>> John A. Sullivan III wrote: >>> >>>>> John A. Sullivan III wrote: >>>>> > > [snip] > > >> <snip> >> Thanks for the very thoughtful answer. I'm not only new to LDAP but >> also to Linux based file servers. I've been in a management role for >> the last decade and before then was doing NDS and NetWare for >> directory/file. >> >> We were planning to use a umask of 007 for standard users and set the >> sgid bit for shared folders. That's where we thought it would be >> helpful to have a group associated with each user. In fact, it finally >> made the default setup of creating a group for each user make sense as I >> always wondered why that was done. I suppose we'll also need to >> activate file system acls for more complex setups as when multiple >> groups need varying access to a shared file system directory. >> > > This arrangement is known (at least by Redhat) as User Private Groups > (UPG): > http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/ref-guide/s1-users-groups-private-groups.html > > The primary reason for doing it is that group access to files is managed > via secondary group membership, not primary group membership > > If each of your users has their own group, then adding a posixGroup > objectclass to each user makes perfect sense. You may also want to place > an uniqueness constraint on the gidNumber attribute as well: > http://www.centos.org/docs/5/html/CDS/ag/8.0/Administering_DSPPR-Server_Plug_in_Functionality_Reference.html#Server_Plug_in_Functionality_Reference-UID_Uniqueness_Plug_in > > WRT to linux, the only gotcha I can think of is that you'll have to set > the nss_ldap nss_base_group option in /etc/ldap.conf to an entry that's > the common parent to both your users and groups - otherwise it'll never > find the UPG's. > > Another way would be to omit the addition of the posixGroup on your account objects, and just modify the filter on nss_base_group to include posixAccounts. e.g.: nss_base_group dc=example,dc=com?sub?(|(objectClass=posixGroup)(objectClass=posixAccount)) posixAccount already includes the gidNumber and cn attributes, which is all you're really after here... unless you want to start adding memberUid attributes to your account objects (which doesn't make any obvious sense). You will almost certainly have to modify your nss_base_group setting in either case, as Jonathan suggested. >> If that's a silly approach, kindly let me know and point me to some good >> documentation on the subject. Thanks - John >> -- >> John A. Sullivan III >> Open Source Development Corporation >> +1 207-985-7880 >> jsullivan at opensourcedevel.com >> >> http://www.spiritualoutreach.com >> Making Christianity intelligible to secular society >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > >
