On Thu, 2008-11-20 at 09:01 -0800, George Holbert wrote: > Jonathan Barber wrote: > > On Wed, Nov 19, 2008 at 03:32:28PM -0500, John A. Sullivan III wrote: > > > >> On Wed, 2008-11-19 at 12:21 -0800, George Holbert wrote: > >> > >>> John A. Sullivan III wrote: > >>> > >>>>> John A. Sullivan III wrote: > >>>>> > > > > [snip] > > > > > >> <snip> > >> Thanks for the very thoughtful answer. I'm not only new to LDAP but > >> also to Linux based file servers. I've been in a management role for > >> the last decade and before then was doing NDS and NetWare for > >> directory/file. > >> > >> We were planning to use a umask of 007 for standard users and set the > >> sgid bit for shared folders. That's where we thought it would be > >> helpful to have a group associated with each user. In fact, it finally > >> made the default setup of creating a group for each user make sense as I > >> always wondered why that was done. I suppose we'll also need to > >> activate file system acls for more complex setups as when multiple > >> groups need varying access to a shared file system directory. > >> > > > > This arrangement is known (at least by Redhat) as User Private Groups > > (UPG): > > http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/ref-guide/s1-users-groups-private-groups.html > > > > The primary reason for doing it is that group access to files is managed > > via secondary group membership, not primary group membership > > > > If each of your users has their own group, then adding a posixGroup > > objectclass to each user makes perfect sense. You may also want to place > > an uniqueness constraint on the gidNumber attribute as well: > > http://www.centos.org/docs/5/html/CDS/ag/8.0/Administering_DSPPR-Server_Plug_in_Functionality_Reference.html#Server_Plug_in_Functionality_Reference-UID_Uniqueness_Plug_in > > > > WRT to linux, the only gotcha I can think of is that you'll have to set > > the nss_ldap nss_base_group option in /etc/ldap.conf to an entry that's > > the common parent to both your users and groups - otherwise it'll never > > find the UPG's. > > > > > Another way would be to omit the addition of the posixGroup on your > account objects, and just modify the filter on nss_base_group to include > posixAccounts. > e.g.: > nss_base_group > dc=example,dc=com?sub?(|(objectClass=posixGroup)(objectClass=posixAccount)) > > posixAccount already includes the gidNumber and cn attributes, which is > all you're really after here... unless you want to start adding > memberUid attributes to your account objects (which doesn't make any > obvious sense). > > You will almost certainly have to modify your nss_base_group setting in > either case, as Jonathan suggested. > <snip> That's what I had first attempted to do but I do not see where to set that filter. I didn't see anything in ldap.conf or nsswitch.conf. Where is it set? Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society
